Threat actors have been observed exploiting two critical-severity vulnerabilities in the ServiceNow platform less than two weeks after they were publicly disclosed, Resecurity reports.
ServiceNow published advisories for the security defects, tracked as CVE-2024-4879 (CVSS score of 9.3) and CVE-2024-5217 (CVSS score of 9.2), on July 10, but told SecurityWeek that it began issuing patches and updates in May.
The critical issues are described as input validation flaws that could be exploited by unauthenticated attackers for remote code execution in the context of ServiceNow’s platform, a widely used business transformation solution.
A third bug, CVE-2024-5178 (CVSS score of 6.9), described as a file read security defect that could allow administrators to access sensitive files on the web application server without authorization, was also resolved in the platform.
ServiceNow released patches and hotfixes for the Utah, Vancouver, and Washington DC iterations of the Now Platform, urging customers to apply them as soon as possible.
“On May 14, 2024, ServiceNow learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases. That day, we deployed an update and have since issued a series of patches designed to address the issue,” a ServiceNow spokesperson told SecurityWeek.
On July 11, Assetnote, which reported the vulnerabilities to ServiceNow in May, published technical details on the three vulnerabilities, explaining how they can be chained together to gain full access to databases and to the MID Servers – proxy servers between cloud-hosted ServiceNow instances and enterprise networks – configured with the platform.
Less than two weeks after the information became public, Resecurity observed threat actors targeting vulnerable ServiceNow instances for reconnaissance.
“Foreign threat actors attempted to exploit the situation to extract data from both private sector companies and government agencies globally,” Resecurity reveals.
The cybersecurity firm points out that there are approximately 300,000 internet-accessible ServiceNow instances susceptible to threat actors’ probing, which “confirms the broad-scale and significant penetration of this solution in enterprise environments globally”.
The largest number of ServiceNow deployments are in the US, UK, India, and European Union countries. However, it is unclear how many of these instances are vulnerable.
According to Resecurity, multiple threat actors have been observed mass scanning for vulnerable ServiceNow instances, probing the vulnerable hosts, and attempting to dump user lists and to collect metadata from the compromised instances.
The attacks targeted organizations in various industries, including an energy company, a data-center organization, a software developer, and a government agency in the Middle East.
“Notably, some of them were not aware of the released patch, and in some cases used outdated or poorly maintained instances by their developers and software engineers,” Resecurity notes.
The company points out that ServiceNow instances are likely to be increasingly targeted in attacks and that initial access brokers are expected to monetize access to compromised enterprise portals and applications.
“There has been identified chatter on multiple underground forums on the dark web highlighting threat actors seeking compromised access to IT service desks, corporate portals, and other enterprise systems that typically provide remote access to employees and contractors,” Resecurity says.
“Based on our investigation to date, we have not observed evidence that the activity mentioned in the Resecurity blog post is related to instances that ServiceNow hosts. We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches,” ServiceNow said.
*Updated with commentary from ServiceNow.
Related: Organizations Warned of Exploited Twilio Authy Vulnerability
Related: Recent Adobe Commerce Vulnerability Exploited in Wild
