A major vulnerability in ServiceNow’s platform, designated CVE-2025-3648 and dubbed “Rely(er) Strike,” allows attackers to exfiltrate delicate information, together with PII, credentials, and monetary data.
This high-severity vulnerability exploits the file rely UI aspect on listing pages by way of enumeration methods and question filters, doubtlessly affecting all ServiceNow situations with tons of of tables in danger.
Key Takeaways1. CVE-2025-3648 “Rely(er) Strike” allows information extraction from ServiceNow by way of file rely exploitation.2. Requires solely primary consumer entry or self-registration – no particular instruments or elevated privileges wanted.3. Impacts all ServiceNow situations, particularly Fortune 500 corporations (85% of buyer base).4. ServiceNow patched in Could 2025 with new safety controls – fast implementation beneficial.
The vulnerability was significantly regarding because it required solely minimal entry privileges and could possibly be exploited by customers with weak accounts and even self-registered nameless customers.
Rely(er) Strike Vulnerability (CVE-2025-3648)
Varonis Menace Labs reviews that the Rely(er) Strike vulnerability impacts ServiceNow’s Entry Management Checklist (ACL) mechanism, which manages information entry by way of 4 key situations: required roles, safety attribute situations, information situations, and script situations.
Credential Leak from Restricted Permissions
When entry is denied on account of failing the primary two situations, ServiceNow shows a clean web page with “Safety constraints forestall entry to requested web page”.
Nevertheless, when entry fails on account of information or script situations, the system reveals the entire file rely with the message “Variety of rows faraway from this listing by Safety constraints.”
This data disclosure creates a major safety hole, as attackers can exploit tables the place ACL guidelines have empty or overly permissive position necessities and safety attribute situations.
ACL analysis course of
The vulnerability impacts a number of ServiceNow options together with IT Service Administration (ITSM), Buyer Service Administration (CSM), and Human Sources Service Supply (HRSD), doubtlessly exposing delicate information throughout Fortune 500 corporations that comprise 85% of ServiceNow’s buyer base.
Attackers can exploit this vulnerability by way of systematic enumeration utilizing question parameters and filtering methods. The fundamental exploitation course of includes developing URLs with particular question parameters:
This question filters outcomes to indicate data the place a particular area begins with the letter “a,” with the rely mirrored within the grand_total_rows worth within the HTML supply. Extra subtle assaults can mix a number of situations:
Attackers can automate this course of utilizing scripts to enumerate information character by character, successfully reconstructing total database data.
The vulnerability is additional amplified by ServiceNow’s dot-walking function, which permits entry to associated tables by way of reference fields, and self-registration capabilities that allow nameless customers to create accounts and achieve primary entry.
Threat FactorsDetailsAffected ProductsServiceNow Platform (all situations doubtlessly affected)ImpactData exfiltration of delicate informationExploit Stipulations– Minimal entry to ServiceNow instance- Person account with primary desk access- Tables with misconfigured ACL guidelines (empty or overly permissive position/safety attribute situations)- No particular configurations or plugins requiredCVSS 3.1 ScoreHigh Severity
Mitigations
ServiceNow addressed this vulnerability by introducing new entry management mechanisms.
Question ACLs particularly defend towards blind question assaults by limiting question operations to both query_range (containing harmful operators like STARTSWITH, CONTAINS) or query_match (containing protected operators like EQUALS, NOT_EQUALS).
Safety information filters apply extra record-level restrictions primarily based on roles and safety attributes, filtering outcomes, and suppressing the “rows eliminated by safety” message that attackers exploited.
Organizations ought to instantly evaluation their ServiceNow situations, validate ACL configurations for customized and commonplace tables, and implement the brand new safety mechanisms on delicate tables containing regulated information.
Examine dwell malware habits, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
