A newly discovered ServiceNow vulnerability allows attackers to extract sensitive data from restricted tables without full access.
The flaw, called Count(er) Strike, was uncovered by Varonis Threat Labs earlier this year.
ServiceNow is a leading cloud platform used by businesses worldwide to manage digital workflows and enterprise operations.
It is trusted by government agencies, healthcare providers, banks, and large enterprises across multiple industries.
This latest security flaw could impact millions of users, including major corporations and public sector organizations.
What is the Count(er) Strike ServiceNow Vulnerability?
The ServiceNow vulnerability affects how Access Control Lists (ACLs) handle multiple security conditions.
ACLs are meant to block unauthorized access to sensitive data stored in ServiceNow tables.
Each ACL evaluates four conditions:
- Required roles
- Security attributes
- Data conditions
- Script conditions
Access should only be granted if all conditions are satisfied.
However, researchers found ServiceNow sometimes granted partial access if just one condition was met.
In some cases, this exposed sensitive record counts without displaying the actual data.
How the Flaw Allows Data Enumeration
Even without full access, attackers can extract useful information using partial data leaks.
If users fail some ACL checks, ServiceNow still returns record counts in the interface and source code.
Varonis researchers discovered that by manipulating filters, attackers could guess hidden content.
Attackers use operators like STARTSWITH, CONTAINS, =, or != to shape their queries.
For example:https://[company].service-now.com/task_list.do?sysparm_query=short_descriptionSTARTSWITHa
By automating this process, they can slowly enumerate restricted data, one character at a time.
Even though the actual records remain hidden, counts reveal enough to uncover sensitive patterns.
The Potential Impact of the ServiceNow Vulnerability
Attackers could infer sensitive information, including credentials, internal settings, and personal data.
The vulnerability affects more than just ServiceNow’s ITSM product.
Any ServiceNow service using the same ACL logic could be vulnerable.
Even self-registered accounts with minimal permissions could potentially exploit this flaw.
Varonis warns that several Fortune 500 companies still allow anonymous user registration, increasing risk.
The ServiceNow vulnerability shows how small leaks can enable large-scale data exposure.
ServiceNow’s Response and Security Fixes
ServiceNow has acted to address the Count(er) Strike flaw with several security updates:
- Introduced Deny Unless ACLs, requiring all conditions to pass before granting access.
- Added Query ACLs to block malicious filtering and enumeration attempts.
- Recommended Security Data Filters to hide record counts and minimize exposure.
These changes were included in the Xanadu and Yokohama releases last month.
What Organizations Should Do Now
Despite ServiceNow’s fixes, customers must take action to secure their environments.
Admins should carefully review existing ACLs for over-permissive access.
All tables containing sensitive information should be double-checked and properly locked down.
Organizations must ensure anonymous registrations are disabled where not necessary.
Running security audits and applying the latest updates is essential to prevent exploitation.
Conclusion
So far, Varonis has found no evidence that this ServiceNow vulnerability has been exploited in the wild.
But the risk remains.
Partial data leaks can be powerful tools for attackers seeking footholds in enterprise environments.
Proactive security and proper configuration are the only ways to stay ahead of such threats.
The Count(er) Strike case highlights the hidden dangers of misconfigured access controls.
Even advanced systems like ServiceNow can fail without constant security oversight.
0 responses to “ServiceNow Vulnerability Exposes Sensitive Data Through ACL Flaw”