ServiceNow Security Incident Resulted In Customer Data Exposure

On June 9, 2026, ServiceNow disclosed a security incident involving active exploitation of an unauthenticated REST API endpoint (/api/now/related_list_edit/create). Attackers leveraged a misconfigured authentication flag to query customer instance tables without credentials, potentially accessing sensitive enterprise data across multiple tenants. A patch was silently applied on June 5, 2026, but community evidence suggests ServiceNow was aware of the underlying issue as early as April 7, raising serious concerns about disclosure timeliness, particularly for regulated industries.

Severity: High

Vulnerability Overview

• Vulnerability Type: Unauthenticated Access Flaw / Broken Object Level Authentication (BOLA) via API.
• Affected Component: Scripted REST Resource endpoint /api/now/related_list_edit/create
• Root Cause: The endpoint shipped with requires_authentication = false, meaning it accepted completely unauthenticated requests. This is a misconfiguration, not a runtime code flaw — making it potentially present across releases, not just “Australia.”
• CVE Status: ServiceNow is still evaluating whether to publish a CVE (KB3067321).
• Observed Exploit Behavior: Attackers attempted to create records on the sys_group_has_role table. Intelligence analysts hypothesize that the attackers sought to append a privileged role (such as admin) to default or demo-data groups containing known/default sys_id structures to establish a persistent backdoor.

Scope Of Impact

• Target Systems: Primarily impacts customers running the Australia platform release.
• Legacy Impact: Customers on older releases who made specific configuration changes to their instances are also vulnerable.
• Exposed Data: ServiceNow confirmed successful data table queries. While specific data leakage was not completely itemized, impacted instance tables routinely store high-value corporate data including IT support tickets, internal documentation, asset inventories, security incident reports, and corporate infrastructure configuration details.

Timeline Of Events

• April 7, 2026: ServiceNow allegedly logged the vulnerability within their internal PRB (Problem) tracking system.
• June 2–3, 2026: Initial wave of suspicious exploit activity and network sweeps detected.
• June 5, 2026: ServiceNow deployed an emergency security update modifying the API endpoint to force requires_authentication=true.

Indicators Of Compromise (Iocs)

Security teams should immediately audit network and transaction logs for the following indicators:

Recommendations

1. Filter instance transaction logs for IP 51.159.98[.]241 and the /api/now/related_list_edit path. Inspect the payload render size on any successful transactions.
2. Review the Scripted REST API table (sys_ws_operation) and audit any custom/legacy resources where the “Requires Authentication” checkbox is unchecked.
3. For impacted instances, immediately rotate any API tokens, internal credentials, or authentication secrets shared via recent IT support tickets or workflows.
4. Ensure instances running the Australia release or custom legacy configurations have received the June 5 security update. Track SNow KB3067321 for ongoing vendor updates.

Sources:

• https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/
• https://www.reddit.com/r/servicenow/comments/1u0c45c/potential_servicenow_breach/
• https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3067321
• https://x.com/IntCyberDigest/status/2064391819962515853
• https://x.com/DarkWebInformer/status/2064439152834499059

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.