What is the nature of the ServiceNow vulnerabilities being exploited?

Threat actors are exploiting a chain of vulnerabilities in ServiceNow, a cloud-based solution for managing enterprise digital workflows. The primary vulnerability, CVE-2024-4879, is an input validation flaw with a CVSS score of 9.3. This flaw, along with CVE-2024-5178 and CVE-2024-5217, allows attackers to gain complete database access.

What data is being compromised in the ServiceNow breaches?

Attackers are dumping user lists and account credentials from compromised ServiceNow instances. While most credentials are hashed, some instances have exposed plaintext credentials.

Who are the victims of the ServiceNow vulnerabilities?

Victims include government agencies, data centers, energy providers, and software development firms. These entities have had user lists and account credentials compromised, including some plaintext credentials.

How many ServiceNow instances are potentially exposed?

FOFA internet scans reveal nearly 300,000 exposed instances of ServiceNow that could be vulnerable to these exploits.

Attack

ServiceNow flaws actively exploited by hackers

Q: How are these vulnerabilities being exploited?

Researchers from Assetnote published a detailed write-up on the ServiceNow flaws, which led to the immediate appearance of working exploits and bulk network scanners on GitHub. Threat actors are using these publicly available exploits to identify and compromise vulnerable ServiceNow instances.

published: July 26, 2024

Take action: If you are running ServiceNow ticketing system- PATCH NOW. Don't delay, you are being hacked.

Learn More

Threat actors are exploiting a chain of ServiceNow vulnerabilities using publicly available exploits to breach various government agencies and private firms.

ServiceNow, a cloud-based solution widely used for managing enterprise digital workflows, has been the primary target. FOFA internet scans revealing nearly 300,000 exposed instances of ServiceNow.

The primary vulnerability, tracked as CVE-2024-4879, is an input validation flaw with a CVSS score of 9.3. Additional vulnerabilities, CVE-2024-5178 and CVE-2024-5217, can be chained with CVE-2024-4879 for complete database access.

Assetnote researchers published a detailed write-up on the flaws, leading to the immediate appearance of working exploits and bulk network scanners on GitHub. Threat actors began leveraging these exploits to identify and compromise vulnerable instances.

If successful, attackers dump user lists and account credentials. While most credentials are hashed, some instances exposed plaintext credentials.

Victims include government agencies, data centers, energy providers, and software development firms. Compromised data includes user lists and account credentials, including some plaintext credentials.

ServiceNow flaws actively exploited by hackers

Read More
CISA reports actively exploited Sitecore CMS Vulnerabilities
CPUID Website Compromised to Distribute STX RAT Malware …
Ivanti reports actively exploited EPMM flaws, urges immediate …
High-severity Windows flaw exploited in hacker gang attacks
Google urgently patches actively exploited Chrome flaw - …