ServiceNow fixes vulnerabilities in Now Platform

ServiceNow has recently addressed two critical vulnerabilities in its Now Platform that pose significant security risks to organizations.

The ServiceNow Now Platform is a cloud-based platform supporting enterprise applications that manage workflows, automate processes, and integrate data across departments. It enables organizations to streamline operations for IT, HR, customer service, and other functions.

The flaws could enable unauthorized access, data exposure, and platform compromise:

• CVE-2024-8923 (CVSS score 9.8) - a  sandbox escape issue stemming from an input validation error within the Now Platform. This flaw enables unauthenticated attackers to execute remote code within the platform's context, potentially granting them full control over the system, exposing sensitive data, and compromising platform integrity. It affects ServiceNow platform releases prior to the Xanadu General Availability release.
• CVE-2024-8924 (CVSS score 7.5) - a blind SQL injection vulnerability. Although rated lower than CVE-2024-8923, it remains a severe concern, as it could allow attackers to retrieve unauthorized data by exploiting vulnerable input fields on the platform. This vulnerability puts sensitive information at risk, potentially breaching organizational data confidentiality. It affects the Xanadu, Washington DC, and earlier Now Platform releases.

With over 130,000 exposed ServiceNow instances, including more than 90,000 in the U.S. alone, quick patching is crucial. The widespread adoption of the Now Platform for automating business functions increases the impact potential, as unpatched instances could enable unauthorized access to sensitive data and critical operational systems.

ServiceNow disclosed these vulnerabilities on October 29, 2024, through advisories KB1706070 and KB1706072, confirming that patches were released in August and October 2024, respectively. ServiceNow strongly advises organizations to apply these patches to secure their Now Platform instances.