Tech »  Topic »  ServiceNow Platform Vulnerability Enables Attackers to Exfiltrate Sensitive Data

ServiceNow Platform Vulnerability Enables Attackers to Exfiltrate Sensitive Data


Security researchers have identified a critical vulnerability in ServiceNow’s widely-used enterprise platform that could enable attackers to extract sensitive data including personally identifiable information (PII), credentials, and financial records.

The flaw, dubbed “Count(er) Strike” by Varonis Threat Labs, affects ServiceNow instances used by 85% of Fortune 500 companies and has been assigned CVE-2025-3648 with a high severity rating.

Field Value
CVE ID CVE-2025-3648
Vulnerability Name Count(er) Strike
CVSS Score High Severity
Affected Product ServiceNow Platform
Vulnerability Type Data Inference/Information Disclosure

Vulnerability Overview and Impact

The Count(er) Strike vulnerability exploits a fundamental flaw in ServiceNow’s record count UI element on list pages, allowing attackers to use enumeration techniques and query filters to infer and expose sensitive data from various database tables.

The attack requires only minimal access privileges, making it particularly dangerous as it can be executed by users with basic table access or even ...


Copyright of this story solely belongs to gbhackers . To see the full text click HERE