- An accident in the ServiceNow access control lists meant that users could be granted access, without fulfilling all the conditions
- New checks have been added to mitigate the risk
- Users are advised to examine their tables and ACL
A flaw in ServiceNow could have allowed the actors to threaten to exfiltrate sensitive data from other users without them never knowing, warned security experts.
The defect, followed like CVE-2025-3648 and gave a gravity score of 8.2 / 10 (high), was nicknamed “Count (ER) Strike” and was spotted by Varonis security researchers.
According to Varonis, the bug follows from defective access control lists (ACL), used to restrict access to data in the tables. Apparently, each ACL assesses four conditions to decide whether or not a user must have certain resources. To access a resource, all resources must be satisfied, but if a resource is protected by several ACLs, the tool returns to a condition “authorize If” previously used.
Systems update
This means that if the user satisfies only one ACL, it would be given access (sometimes complete).
“Each resource or table in ServiceNow can have many ACLs, each defining different conditions for access,” said Varonis in his report.
“However, if a user spends only one ACL, he has access to the resource, even if other ACLs may not grant access. If there is no LCA presents for the resource, access will be by default access property which is defined to deny in most cases.”
According to Bleeping CompomputeThe bug has since been crushed, Car ServiceNow has introduced a number of new features, including “refusing unless ACL”.
This forces users to pass all ACLs before access. All servicenow users are invited to manually consult their tables and modify ACS to ensure that they are not too permissive.
ServiceNOW is a cloud-based platform that helps organizations automate and manage IT services, workflows and business processes, and has more than 8,400 companies, including the majority of fortune companies 500.
Via Bleeping Compompute
