ServiceNow has notified customers of a security incident in which unauthorized parties accessed data from customer environments. The company has since rolled out a security update and is still investigating exactly what data was accessed.
The software vendor discovered anomalous activity traced to a vulnerability in an API configuration, reports BleepingComputer. This allowed attackers, under certain circumstances, to retrieve information from ServiceNow instances without authentication. On June 5, the company implemented a fix that now restricts access to the affected API endpoint to authenticated users only.
According to ServiceNow, the vulnerability was actually exploited. The company has not disclosed what data was accessed. This could have potentially far-reaching consequences, as organizations often use ServiceNow to manage IT processes, support requests, configuration data, and internal documentation. Such environments often contain sensitive data such as login credentials, API keys, and information about security incidents.
Only specific customers affected
The company has since contacted the organizations identified as affected by the incident directly. According to ServiceNow, customers who have not received a notification should not assume that their environment has been affected at this time.
The company’s communication indicates that primarily, customers using the Australia release of the platform were at risk. Certain older platform versions may also have been vulnerable if specific configuration changes had been implemented.
ServiceNow has not disclosed any technical details about the vulnerability. However, administrators and security specialists speculate that the issue was related to a REST endpoint that allowed data to be created or modified. According to posts on online forums, authentication may have been disabled for that component, allowing unauthorized requests to be processed.
In addition, there are indications that attackers were active from a specific IP address. Several administrators have urged each other to check log files for suspicious requests to the relevant API function.
Investigation ongoing
The incident once again underscores the value of IT service management platforms to attackers. Support tickets and management environments often contain a wealth of operational and security-related information that can be used for further attacks on an organization.
ServiceNow is still investigating whether to request an official CVE registration for the vulnerability. In the meantime, the company advises administrators to analyze log files, assess potentially exposed data, and, where necessary, replace shared passwords, tokens, and other access credentials. It is also recommended to verify that API logging is fully enabled so that any suspicious activity can be investigated afterward.