ServiceNow Remote Code Execution Vulnerabilities Under Attack

Response from ServiceNow: Based on our investigation to date, we have not observed evidence that the activity mentioned in your article and in the Resecurity blog post is related to instances that ServiceNow hosts. We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches.

Various threat actors are actively exploiting ServiceNow vulnerabilities to target different organizations. While ServiceNow has already patched these flaws, users’ delay in updating their systems has elevated the risks.

Now-Patched ServiceNow Vulnerabilities Actively Exploited

Researchers from Resecurity have shared a detailed blog post highlighting their findings about the active exploitation of ServiceNow vulnerabilities.

As explained, they noticed three different vulnerabilities affecting software security, putting users at risk. Two of these flaws pose a severe threat, as exploiting them allows remote code execution attacks, whereas the third vulnerability, a relatively less severe flaw, could be chained for the exploit.

  • CVE-2024-4879 (CVSS 9.3): An input validation vulnerability impacting Vancouver and Washington DC Now Platform releases. An unauthenticated adversary could exploit the flaw for remote code execution.
  • CVE-2024-5217 (CVSS 9.3): Another input validation flaw leading to remote code execution from an unauthenticated attacker. This vulnerability affected the Washington DC, Vancouver, and earlier Now Platform releases.
  • CVE-2024-5178 (CVSS 6.9): A file read vulnerability affecting the Washington DC, Vancouver, and Utah Now Platform releases. An adversary with admin access to the target system could exploit the flaw to gain unauthorized access to sensitive files.

These vulnerabilities caught the attention of Assetnote researchers, who then responsibly disclosed the flaws to the vendor. They published a detailed post highlighting the technical aspects of the vulnerabilities and explaining how an adversary could chain the flaws to access databases and execute malicious codes.

Soon after the discovery, ServiceNow addressed these vulnerabilities with hotfixes and software updates for the respective Platform releases on July 10, 2024. Users may find these updates in the advisories released for CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, respectively.

However, these patches couldn’t help the users much as the users’ delay in updating systems gave ample time to develop working exploits. Consequently, Resecurity researchers detected active exploitation of the vulnerabilities in the wild, targeting various entities.

Exploitation Attempts Target Victims Globally

Within a week of the vulnerability release, the researchers detected a global campaign exploiting these vulnerabilities, targeting various victims, including an energy corporation, a data center organization, a government agency in the Middle East, and a software development house. (Resecurity has not disclosed the victim firms’ names yet.)

Following Resecurity’s report, ServiceNow confirmed (in a statement to Bleeping Computer), that they did not detect any malicious activity impacting ServiceNow hosts.

Still, given the persistent threat, all users must ensure that their systems are patched immediately with the latest software releases and hot fixes.

ServiceNow is an American platform-as-a-service that facilitates organizations in helpdesk and IT service management activities. The platform boasts a worldwide clientele from various sectors, including Fortune 500 firms.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients