ServiceNow, a widely deployed enterprise platform, recently suffered three critical vulnerabilities, CVE-2024-4879 and CVE-2024-5217, with CVSSv4 scores of 9.3 and 9.2, respectively, that permit unauthenticated remote code execution on affected Now Platform instances.
CVE-2024-5178 allows unauthorized administrative file access, posing significant risks of data exfiltration, system compromise, and operational disruption.
Despite limited observed exploitation attempts, the vulnerability’s widespread potential impact is evident from the approximately 300,000 exposed instances identified globally, with the US, UK, India, and EU hosting the most.
Attackers leverage search engines like Shodan and HUNTER.NOW to efficiently map networks and identify vulnerable hosts, by employing automated scanners to discover web servers, applications, and network devices across the internet, publicly exposing information about their configurations.
It provides adversaries with a “window of opportunity” to exploit known vulnerabilities in popular software before patches are deployed. While the impact of such exploitation varies, the fact that these search engines expose information about enterprise applications creates a significant risk.
Three critical ServiceNow vulnerabilities enabled unauthenticated remote code execution, exposing nearly 42,000 instances. While patches exist, active exploitation attempts targeting over 6,000 sites, predominantly in finance, have been observed.
Researchers have developed detection methods, including custom Nuclei templates, to identify vulnerable systems. Given the severity and active exploitation, organizations using ServiceNow must prioritize patch applications and implement robust security measures.
Attackers rapidly scanned for vulnerable ServiceNow instances after CVE-2024-4879 details emerged. A public proof-of-concept triggered widespread exploitation, allowing attackers to inject malicious code through crafted URLs.
The exploit chained title injection, template injection mitigation bypass, and filesystem filter bypass to access ServiceNow data. Initial scanning involved sending probing requests containing a specific payload to the login page and checking for a calculated response, confirming the vulnerability.
Later attacks used a different payload to attempt reading the contents of the `glide.db.properties` file, potentially exposing database information.
Attackers exploited a vulnerability in a system to retrieve database details. The exploit likely involved injecting malicious code through a crafted URL parameter. While the attackers couldn’t directly steal user passwords due to strong hashing, they managed to dump usernames and potentially other metadata associated with user accounts.
According to ReSecurity, it helps attackers in further reconnaissance efforts against targeted organizations across various sectors, including energy, data centers, government agencies, and software development companies.
Recent cyberattacks exploited vulnerabilities in popular enterprise applications, highlighting the critical need for prompt patch management. Threat actors actively seek compromised access to IT service desks and corporate portals on the Dark Web for reconnaissance and potential cyberespionage.
Initial access brokers (IABs) are utilizing infostealers (malware) and digital identity leaks to take advantage of vulnerabilities in enterprise portals and applications on the Dark Web that are a result of poor network hygiene on the customer side.