A recent breach has put over 105 ServiceNow databases at risk, as a threat actor on BreachForums claims to have harvested email addresses and associated hashes after exploiting critical vulnerabilities in the cloud-based IT service management platform. The vulnerabilities, known as CVE-2024-4879 and CVE-2024-5217, have been actively exploited in the wild, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add them to its list of known vulnerabilities.
According to researchers from Resecurity’s HUNTER threat team, the threat actor on BreachForums is attempting to sell the stolen data for $5,000. The two vulnerabilities allow for unauthenticated remote code execution, making it easy for attackers to gain access to sensitive information within the ServiceNow databases.
In response to the breaches, ServiceNow issued hotfixes for both vulnerabilities on July 10, along with a fix for a third, less severe flaw (CVE-2024-5178). However, not all organizations have applied the patches, leaving them vulnerable to exploitation.
Resecurity researchers have observed multiple attackers probing ServiceNow instances for vulnerabilities. Some organizations targeted include energy companies, data-center organizations, government agencies, and financial institutions. The attackers are using automated tools to target login pages and exploit the vulnerabilities, potentially gaining access to sensitive data and disrupting critical business operations.
Estimates suggest that there are hundreds of thousands of ServiceNow instances visible to Internet scans, making them prime targets for exploitation attempts. The ease with which these vulnerabilities can be exploited has raised concerns among cybersecurity experts, who recommend organizations focus on basic security hygiene to protect their systems.
Naomi Buckwalter, director of product security at Contrast Security, warns that organizations using self-hosted proxy servers to connect to ServiceNow’s platform may be particularly vulnerable. The vulnerabilities could allow attackers to access sensitive data and disrupt operations, highlighting the importance of applying patches promptly.
As the threat of these vulnerabilities continues to grow, organizations must prioritize patching and strengthening their security measures to prevent further data breaches and cyberattacks. Failure to address these vulnerabilities promptly could have severe consequences for organizations using ServiceNow and put sensitive information at risk.