A significant security vulnerability, identified as CVE-2025-3648 and codenamed Count(er) Strike, has been discovered in ServiceNow’s Now Platform. This flaw, assigned a CVSS score of 8.2, could potentially allow unauthorized users to infer and access sensitive data due to misconfigured Access Control Lists (ACLs).
Understanding the Vulnerability
ServiceNow’s Now Platform is a widely adopted cloud-based solution that facilitates digital workflows across various industries, including healthcare, finance, and the public sector. The platform employs ACLs to regulate user access to data within its tables. Each ACL evaluates four conditions to determine access permissions:
1. Required Roles: Specific roles assigned to users.
2. Security Attributes: Additional security parameters.
3. Data Conditions: Criteria based on data values.
4. Script Conditions: Custom scripts that define access logic.
For a user to access a resource, all these conditions must be met. However, if a resource is protected by multiple ACLs, ServiceNow’s previous Allow if condition permitted access if any single ACL was satisfied, even if others would have denied it. This permissive model could inadvertently grant partial access, such as revealing record counts, which malicious actors could exploit.
Exploitation Mechanism
The vulnerability arises when users fail the Data Condition or Script Condition checks. In such cases, ServiceNow still displays the record count in the user interface and source HTML, accompanied by a message indicating that some results were removed due to security constraints. This partial data exposure can be manipulated using URL-based filters like `STARTSWITH`, `CONTAINS`, `=`, and `!=` to enumerate the contents of records incrementally.
For instance, a query such as:
“`
https://[my_company].service-now.com/task_list.do?sysparm_query=short_descriptionSTARTSWITHp
“`
can be adjusted iteratively to deduce data one character at a time. Automating this process enables attackers to extract sensitive information, including personally identifiable information (PII), credentials, and internal configuration data.
Potential Impact
This vulnerability could affect all ServiceNow instances with misconfigured or overly permissive ACLs, potentially impacting hundreds of tables. Even users with minimal privileges, such as self-registered anonymous users, could exploit this flaw, bypassing the need for privilege escalation and leading to significant data exposure.
Mitigation Measures
To address this issue, ServiceNow has introduced additional access control frameworks in its recent Xanadu and Yokohama releases. These include:
1. Deny-Unless ACLs: Require users to pass all ACLs to gain access to a dataset.
2. Query ACLs: Restrict enumeration queries using range operators.
3. Security Data Filters: Hide row counts and suppress inference cues.
Additionally, in May 2025, ServiceNow delivered a security update designed to enhance customer ACL configurations. Administrators are advised to review existing tables to ensure data is properly secured and to implement the new access control frameworks to mitigate potential exploitation.
Conclusion
The discovery of CVE-2025-3648 underscores the importance of robust access control configurations in cloud-based platforms. Organizations utilizing ServiceNow should promptly assess their ACL settings, apply the recommended updates, and adopt the new security measures to safeguard sensitive data against unauthorized access.
