ServiceNow Platform Vulnerability Enables Attackers to Exfiltrate Sensitive Data
gbhackersSecurity researchers have identified a critical vulnerability in ServiceNow’s widely-used enterprise platform that could enable attackers to extract sensitive data including personally identifiable information (PII), credentials, and financial records.
The flaw, dubbed “Count(er) Strike” by Varonis Threat Labs, affects ServiceNow instances used by 85% of Fortune 500 companies and has been assigned CVE-2025-3648 with a high severity rating.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-3648 |
| Vulnerability Name | Count(er) Strike |
| CVSS Score | High Severity |
| Affected Product | ServiceNow Platform |
| Vulnerability Type | Data Inference/Information Disclosure |
Vulnerability Overview and Impact
The Count(er) Strike vulnerability exploits a fundamental flaw in ServiceNow’s record count UI element on list pages, allowing attackers to use enumeration techniques and query filters to infer and expose sensitive data from various database tables.
The attack requires only minimal access privileges, making it particularly dangerous as it can be executed by users with basic table access or even ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE