ServiceNow has disclosed a critical security vulnerability in its AI Platform, identified as CVE-2026-6875, which could allow unauthenticated attackers to execute code within affected environments. This sandbox escape flaw impacts both hosted and self-hosted ServiceNow deployments.
The vulnerability enables attackers to bypass platform restrictions and execute code without authentication, posing a significant risk to unpatched ServiceNow instances. Exploitation could lead to workflow disruptions, unauthorized data access, record modifications, or serve as a foothold for further malicious activities.
ServiceNow’s Response and Mitigation
ServiceNow has proactively addressed this issue by deploying security updates to its hosted instances and providing patches for self-hosted customers and partners. Organizations managing their own ServiceNow environments are advised to review their current release versions and apply the appropriate patches or upgrades promptly.
The vulnerability is resolved in the following versions:
- Brazil Early Access and Brazil General Availability releases
- Australia Patch 2
- Zurich Patch 7b or Zurich Patch 9
- Yokohama Patch 12 Hot Fix 1b or Yokohama Patch 13
ServiceNow has not observed active exploitation of CVE-2026-6875 but emphasizes the urgency of applying these updates to prevent potential attacks.
Recommendations for Administrators
Administrators should determine whether their ServiceNow instance is hosted or self-hosted. Hosted customers should verify that the platform update has been applied, while self-hosted administrators should consult ServiceNow’s security maintenance guidance and confirm their patch status.
Additionally, security teams are encouraged to monitor for unusual administrative activities, unexpected workflow changes, and suspicious API behavior following the update to detect any signs of exploitation.
ServiceNow has published advisories KB2930717 and KB2930740, providing detailed patch and maintenance information. Prompt remediation is crucial to safeguard against potential exploitation.
This incident underscores the importance of timely vulnerability management in enterprise platforms. Organizations must remain vigilant, regularly update their systems, and monitor for emerging threats to maintain a robust security posture.