ServiceNow Vulnerability Exposes Sensitive Data To Low-Privilege Users

Uploaded on 2025-07-10 in TECHNOLOGY-Key Areas-Artificial Intelligence, NEWS-Cybersecurity News, FREE TO VIEW

A critical data inference vulnerability, dubbed “Count(er) Strike,” has been uncovered in ServiceNow, the world’s leading IT Service Management (ITSM) platform, according to a report by Varonis Systems

The flaw, identified by Varonis’ threat research team, allows users with low-level permissions to extract sensitive information from restricted tables, potentially compromising business-critical data.

With ServiceNow handling vast amounts of sensitive information across IT operations, human resources, and portfolio management for thousands of global enterprises, this vulnerability poses a significant risk.

The report details the nature of the exploit, its implications, and urgent recommendations for mitigation, highlighting the need for robust data security measures in cloud-based platforms.

Understanding the Count(er) Strike Vulnerability

The Count(er) Strike vulnerability exploits ServiceNow’s “count” function, which allows users to query the number of records in a table. While seemingly innocuous, this function can be manipulated by low-privilege users to infer sensitive data from tables they lack direct access to.

Varonis’ researchers demonstrated that attackers can craft queries to deduce record contents, such as user credentials or financial details, by leveraging patterns in the count responses. This data inference technique bypasses ServiceNow’s access controls, turning a routine feature into a potential backdoor for unauthorised data extraction.

The report notes that the vulnerability affects multiple ServiceNow versions, though specific versions were not disclosed to prevent exploitation before patches are applied.

Scope & Impact

ServiceNow’s extensive use across industries makes this vulnerability particularly concerning. The platform processes sensitive data, including personal identifiable information (PII), financial records, and operational logs, making it a prime target for cyberattacks. The report warns that attackers could exploit Count(er) Strike to extract regulated data, such as that governed by GDPR, CCPA, or HIPAA, potentially leading to compliance violations and hefty fines.

For instance, a malicious actor with basic access could infer employee records or customer data, enabling phishing campaigns, identity theft, or insider threats. Posts on X have echoed this concern, noting the vulnerability’s potential to expose sensitive tables, amplifying the urgency for organisations to act swiftly.

The report also highlights ServiceNow’s customization capabilities as a double-edged sword. While these features enable tailored workflows, they often lead to misconfigured access controls, exacerbating vulnerabilities like Count(er) Strike.

Varonis estimates that thousands of organisations worldwide, including major enterprises, could be affected, given ServiceNow’s dominance in the ITSM market. The lack of immediate public disclosure from ServiceNow about the vulnerability’s scope adds to the uncertainty, leaving organisations to rely on proactive security measures to protect their data.

Varonis’ Role In Mitigation

Varonis’ Data Security Platform, which integrates with ServiceNow, played a pivotal role in identifying the vulnerability. The platform’s ability to automatically discover and classify sensitive data across structured and unstructured sources - such as ServiceNow’s fields, tables, logs, and attachments - enabled researchers to pinpoint the exploit. Varonis’ granular audit trails and risk analysis tools detected abnormal query patterns, revealing the potential for data inference.

The report emphasizes that Varonis’ integration with ServiceNow allows organisations to streamline remediation by creating tickets directly within the platform, addressing misconfigurations and overexposures in real time. This capability is critical for mitigating risks posed by Count(er) Strike and similar vulnerabilities.

Recommendations For Organisations

To counter the threat, Varonis urges ServiceNow users to take immediate action.

  • First, organisations should review and tighten access controls, ensuring that low-privilege users cannot exploit the count function to infer sensitive data. The report recommends leveraging Varonis’ platform to monitor data activity and detect anomalous queries, which can indicate potential exploits.
  • Additionally, enterprises should apply ServiceNow’s latest patches and updates, as the company is likely working on a fix following Varonis’ responsible disclosure.
  • Regular audits of ServiceNow configurations are also essential to identify and remediate misconfigurations that could amplify the vulnerability’s impact.

The report further advises integrating advanced data security solutions to provide a unified view of sensitive data across cloud and on-premises environments.

This approach enables organisations to contextualize ServiceNow data within their broader ecosystem, identifying risks like public access to sensitive tables or shadow admin accounts. For long-term resilience, businesses should prioritize employee training on secure configuration practices and establish robust incident response protocols to handle potential breaches swiftly.

Call To Action

The Count(er) Strike vulnerability shows the fragility of even the most widely used enterprise platforms. As cyberattacks grow more sophisticated, the report serves as a wake-up call for organisations to move beyond traditional security approaches. Varonis’ Field CTO, Brian Vecci, emphasizes that “piecemeal security approaches create vulnerabilities that attackers can exploit.”

By adopting automated, AI-driven solutions, enterprises can stay ahead of threats like Count(er) Strike, according to Vecci.

The incident also highlights the importance of responsible disclosure and collaboration between security vendors and platform providers to protect critical data. As organisations await further guidance from ServiceNow, proactive measures remain their best defence against this emerging threat.

Image: @ServiceNow

You Might Also Read: 

Do You Need Security That Starts With “Prove It”?:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Turning Compliance Into Competitive Advantage 
GitHub Exploited In Sophisticated Malware Campaign »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Dataguise

Dataguise

Dataguise provides a data-centric security solution to detect, protect, and monitor sensitive data in real time across all data repositories, both on premises and in the cloud.

CloudCheckr

CloudCheckr

CloudCheckr is a next-gen cloud management platform that unifies Security & Compliance, Inventory & Utilization and Cost Management.

ZyberSafe

ZyberSafe

ZyberSafe is an innovative Danish company specialized within building hardware encryption solutions.

Romanian Association for Information Security Assurance (RAISA)

Romanian Association for Information Security Assurance (RAISA)

RAISA promotes and supports information security activities and creates a community for the exchange of knowledge between specialists, academic and corporate environment in Romania.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

CybrHawk

CybrHawk

CybrHawk is a leading provider of information security-driven risk intelligence solutions focused solely on protecting clients from cyber-attacks.

CrowdSec

CrowdSec

CrowdSec is an open-source & participative IPS able to analyze visitor behavior by parsing logs & provide an adapted response to all kinds of attacks.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

Appurity

Appurity

Appurity specialises in mobile and application security, delivering comprehensive solutions across all verticals.

Cyware

Cyware

Cyware is the only company building Virtual Cyber Fusion Centers enabling end-to-end threat intelligence automation, sharing, and unprecedented threat response for organizations globally.

Cypfer

Cypfer

CYPFER is a global market leader in ransomware post-breach remediation and cyber-attack first response.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

RedSense

RedSense

RedSense provides industry-leading threat intelligence services, adversary space interaction & monitoring, net flow monitoring and interpretation for our clients.

Tactic Lab

Tactic Lab

Tactic Lab is a group of cybersecurity experts and managed security services provider focused on offensive and defensive security.