- An accident in ServiceNow -Thaglot checklists meant that users could access without accommodating all conditions
- New controls were added to reduce the risk
- Users are advised to review their tables and ACLs
An error in ServiceNow could have enabled threat actors to exfilter sensitive data from other user tables without ever knowing security experts warned.
The error traced as CVE-2025-3648 and got a severity of 8.2/10 (high) was called “Count (s) strike” and was discovered by security researchers Varonis.
According to Varonis, the error comes from defective access control lists (ACLs) used to limit access to data in the tables. Apparently, each ACL assesses four conditions when deciding whether a user should be granted access to certain resources. To access a resource, all resources must be satisfied, but if a resource is protected with multiple ACLs, the tool returns to a previously used “Allow” state.
Updating the systems
This means that if the user fulfilled only one ACL, they would have (sometimes full) access.
“Each resource or table in ServiceNow may have several ACLs that each define different conditions for access,” Varonis said in his report.
“If a user passes only one ACL, they get access to the resource, even if other ACLs may not give access. If no ACL is present for the resource, Access Standard will to the standard access property set to refuse in most cases.”
According to Bleeping computerThe error has since been squeezed as ServiceNow introduced a number of new features, including a “denial, unless ACL”.
This requires users to pass all ACLs before accessing. All ServiceNow users are advised to manually review their tables and change ACS to make sure they are not overly allowed.
ServiceNow is a cloud-based platform that helps organizations automate and manage IT services, workflows and business processes and boast more than 8,400 companies, including most of the Fortune 500 companies.
Via Bleeping computer
