A newly discovered vulnerability in ServiceNow, dubbed “Count(er) Strike, allows low-privileged—and in some cases, unauthenticated—users to extract sensitive data from ServiceNow tables, even when they should have no access to that information. With thousands of organizations relying on ServiceNow for workflow automation and sensitive business processes, the potential impact is especially concerning.
Understanding the Count(er) Strike Vulnerability
The “Count(er) Strike” vulnerability centers on misconfigurations within ServiceNow’s access control mechanisms, particularly in the platform’s built-in widgets such as the “Simple List” widget. These widgets, if not properly secured, can be manipulated to bypass standard Access Control Lists (ACLs), enabling unauthorized users to read data from arbitrary tables.
Technical Background
Unlike most ServiceNow components, which are typically governed by robust ACLs, certain widgets rely on internal field configurations for access control. If these configurations are overlooked or improperly set, attackers can exploit the vulnerability to access sensitive information. Security researchers have identified two primary CVEs associated with this issue:
CVE-2024-5217
CVE-2024-5217 is a critical remote code execution (RCE) vulnerability affecting ServiceNow’s Now Platform, including the Washington DC, Vancouver, and Utah releases. The flaw allows unauthenticated attackers to execute arbitrary code within the platform, potentially resulting in full system compromise, data breaches, and operational disruption.
Technical Details
- Vulnerability Type: Incomplete input validation in the
GlideExpression Scriptcomponent. - Root Cause: The vulnerability arises from improper sanitization of user input processed by the GlideExpression scripting framework, which is used for dynamic UI rendering and business logic automation. Attackers can inject malicious payloads that are executed within the platform’s context.
- CVSS Score: 9.2–9.8 (Critical).
- CWE Classification: CWE-184 (Incomplete List of Disallowed Inputs), CWE-697 (Improper Neutralization of Special Elements).
Impact
- Unauthenticated Remote Code Execution: Attackers do not require valid credentials to exploit this flaw, making it highly dangerous for internet-exposed instances.
- Potential Consequences:
- Observed Activity: Security researchers and threat intelligence firms have reported active scanning and limited exploitation attempts in the wild, as well as weaponized proof-of-concept exploits published shortly after disclosure.
Affected Versions
| Release | Fixed Version(s) |
|---|---|
| Utah | Patch 10 Hot Fix 3, Patch 10a Hot Fix 2, Patch 10b Hot Fix 1 |
| Vancouver | Patch 6 Hot Fix 2, Patch 7 Hot Fix 3b, Patch 8 Hot Fix 4, Patch 9 Hot Fix 1, Patch 10 |
| Washington DC | Patch 1 Hot Fix 3b, Patch 2 Hot Fix 2, Patch 3 Hot Fix 2, Patch 4, Patch 5 |
CVE-2022-43684
CVE-2022-43684 is a critical Access Control List (ACL) bypass vulnerability in ServiceNow Core functionality. This flaw allows an authenticated user with low privileges to access sensitive information from database tables that lack proper authorization controls. The vulnerability is classified under CWE-284 (Improper Access Control) and has a significant impact on confidentiality, integrity, and availability.
Technical Details
- Vulnerability Type: ACL bypass, exposure of sensitive information to unauthorized actors.
- Attack Vector: Network-based; the attack is of low complexity and does not require user interaction. Exploitation can be achieved by authenticated users with minimal privileges.
- Potential Impact: If exploited, an attacker can enumerate and extract sensitive data from tables not adequately protected by ACLs. In some scenarios, this could be chained with other vulnerabilities, potentially leading to privilege escalation or even full administrative compromise.
- Proof-of-Concept: Security researchers have published proof-of-concept exploits demonstrating how attackers can use crafted requests (such as XHR requests to specific ServiceNow processors) to enumerate and access protected tables, including session and token data, which could then be leveraged for further attacks.
Affected Versions
| Release | Vulnerable Until |
|---|---|
| Quebec | Patch 10 Hot Fix 8b |
| Rome | Patch 10 Hot Fix 1 |
| San Diego | Patch 7 |
| Tokyo | Tokyo Patch 1 |
| Utah | General Availability (GA) release |
Scope and Impact
Recent estimates suggest that up to 70% of ServiceNow instances may be vulnerable, with thousands of companies potentially at risk. The vulnerability can be exploited remotely and, in some cases, without any authentication if the vulnerable widget is exposed to the internet.
Potential consequences include:
- Exposure of sensitive business data, customer information, credentials, and internal communications.
- Regulatory compliance violations and associated penalties.
- Significant reputational and financial damage.
While there is currently no evidence of widespread exploitation, proof-of-concept attacks have been demonstrated, and threat actors are actively scanning for vulnerable instances.
Mitigation Strategies
ServiceNow has responded promptly, releasing patches and detailed guidance for affected versions. Organizations are strongly advised to take the following actions:
- Apply Official Patches:
Update ServiceNow instances to the latest version and apply all relevant hotfixes as soon as possible. - Review and Harden Access Controls:
Conduct a thorough audit of all widgets and components—especially the “Simple List” widget—to ensure that access controls are correctly configured. Remove any unnecessary public access. - Restrict Public Exposure:
Disable public widgets, restrict inbound internet traffic, and enforce the principle of least privilege for all user accounts. - Continuous Monitoring:
Regularly audit system logs for unauthorized access attempts and monitor for suspicious activity.
