CVE-2025-3648: A Data Inference Vulnerability in ServiceNow

Published Date: July 10, 2025
Category: ShadowOpsIntel
Share:

The “Count(er) Strike” vulnerability, discovered by Varonis Threat Labs, is a high-severity data inference vulnerability (CVE-2025-3648) in ServiceNow, a leading SaaS platform widely used for ITSM, HR, finance, and customer service operations. This vulnerability allows attackers with minimal privileges to enumerate and exfiltrate sensitive data by exploiting how ServiceNow renders record counts in response to list queries, even when actual data is protected by ACLs.

Severity Level: High

Vulnerability Details

  • CVE ID: CVE-2025-3648
  • CVSS Score: 8.2
  • CWE-1220: Insufficient Granularity of Access Control
  • Affected Product: Now Platform
  • Description: The vulnerability allows attackers to use enumeration techniques with query parameters (e.g., STARTSWITH, CONTAINS, etc.) on list pages that display record counts to infer the existence of specific values in fields—even when they lack permission to see the actual content. Because record count is exposed, even denied queries leak metadata about data existence.

Root Cause

The core issue lies in how ServiceNow’s Access Control List (ACL) system handles query responses:

  • If a user fails the “Required Roles” or “Security Attribute” conditions in ACLs, a blank page is returned.
  • If they fail “Data Conditions” or “Script Conditions”, the record count is still shown, allowing inference of data through the record totals.
  • Many instances had incomplete or overly permissive ACLs, leaving tables vulnerable even when users couldn’t view full record details.

Exploitation Of The Vulnerability

  1. Identify vulnerable table that displays total record count.
  2. Apply crafted queries (e.g., field_nameSTARTSWITHa, descriptionCONTAINS=“password”) to infer the presence of data.
  3. Automate enumeration using scripts or tools like Burp Suite to systematically uncover data patterns.
  4. Exploit dot-walking to access related tables via reference fields.
  5. Use self-registration (if enabled) to gain entry with basic access, then escalate via enumeration.

Mitigation

ServiceNow released a patch for this vulnerability in May 2025, and published official CVE documentation on July 8, 2025. Fixes include new access control mechanisms:

  • Query ACLs: Prevent blind enumeration via query_range and query_match operations.
  • Security Data Filters: Dynamically filter and suppress results from list views based on user permissions.
  • ACL setting: “Deny unless” (instead of “Allow if”) now ensures strict permission enforcement.

It is recommended that the Now Platform users manually review their tables and modify ACLs to make sure they are not overly permissive, and thus vulnerable to this attack.

Source:

  • https://www.varonis.com/blog/counter-strike-servicenow
  • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567
  • https://www.cve.org/CVERecord?id=CVE-2025-3648

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.