Critical ServiceNow vulnerabilities being targeted by hackers, cyber agency warns

Two vulnerabilities affecting popular tools from the cloud company ServiceNow are being exploited by hackers eager to steal sensitive data.

On May 14, security experts at the cybersecurity company AssetNote notified ServiceNow of three serious vulnerabilities that could be chained together and used to siphon important organizational data. Companies use ServiceNow’s cloud-based software for everything from employee management to the automation of business processes, and more. 

ServiceNow released patches for each bug — listed as CVE-2024-4879, CVE-2024-5178 and CVE-2024-5217 — in May and June, but almost immediately after the AssetNote report was released publicly on July 11, a proof-of-concept exploit was published.  

Since then, cybersecurity companies and the federal cybersecurity agency have warned of hackers attempting to exploit the bugs. 

The Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that hackers are specifically targeting CVE-2024-4879 and CVE-2024-5217, giving federal civilian agencies until August 19 to patch the bugs. Both vulnerabilities carry critical severity scores of 9.3 and 9.2 respectively.

Over the last two weeks, reports from Resecurity, Symantec, Imperva and other cybersecurity researchers have outlined hacker attempts to exploit the vulnerabilities, with some warning that anywhere from 13,000 to 42,000 ServiceNow systems may be at risk of compromise. 

The largest number of instances has been identified in the U.S., the United Kingdom, India, and the European Union, according to Resecurity.

Guy Rosenthal, vice president at cybersecurity firm DoControl, said the vulnerabilities let an attacker gain full access to a database and exfiltrate data. 

“The vulnerabilities also allowed a cybercriminal to read files, which means that the attacker could traverse a system and manipulate file paths and have a wide berth to go anywhere and access anything that they’d like to see or steal,” he said. 

“These three vulnerabilities gave the attacker free reign within the ServiceNow platform.”

Resecurity said it has been closely monitoring activity from foreign threat actors seeking to extract data from both private sector companies and government agencies globally.

“The activity was timely contained by the vendor, several episodes of malicious cyber activity were identified during the exposure window, and could be interpreted as limited,” the researchers said.

The company saw mass scanning — where hackers scan the internet for vulnerable ServiceNow instances — once information about the bugs was released. Hackers typically probed systems to check if they were vulnerable before attempting to exploit the bugs, often starting with CVE-2024-4879. 

Resecurity found multiple organizations across several countries and verticals affected, including an energy company, a government agency of a country in the Middle East and a software development firm, among others. 

“Notably, some of them were not aware of the released patch, and in some cases used outdated or poorly maintained instances by their developers and software engineers,” the researchers said.

“There has been identified chatter on multiple underground forums on the Dark Web highlighting threat actors seeking compromised access to IT service desks, corporate portals, and other enterprise systems that typically provide remote access to employees and contractors.”

Resecurity also warned of initial access brokers gaining entry to systems and then selling the access on the dark web, using infostealers and other tools to gain a foothold. 

Cybersecurity firm Imperva said it saw exploitation attempts “in over 6,000 sites across various industries, especially in the financial services industry” — with attackers “primarily leveraging automated tools to target login pages.”