Cybersecurity researchers at Varonis Threat Labs have uncovered a high-severity vulnerability in ServiceNow’s widely-used enterprise platform that could have led to significant data exposure and theft of sensitive information, including personally identifiable information (PII), credentials, and other confidential data.
The vulnerability, dubbed “Count(er) Strike,” affected the platform used by 85% of Fortune 500 companies and was relatively simple to exploit, requiring only minimal access to target systems.
Simple Exploitation Method Raises Major Security Concerns
The Count(er) Strike vulnerability exploited a flaw in ServiceNow’s record count UI element on list pages, allowing attackers to use enumeration techniques and query filters to infer and expose sensitive data from various database tables.
What made this vulnerability particularly concerning was its simplicity—attackers needed only minimal access to target tables, such as a weak user account within the instance or even a self-registered anonymous user account.
The attack method involved manipulating query parameters to filter and refine data returned from tables, allowing malicious actors to retrieve specific records based on defined criteria.
By observing changes in record counts displayed on pages, attackers could systematically guess and extract data character by character.
The vulnerability was further amplified by ServiceNow’s “dot-walking” feature, which allows users to access data from related tables via reference fields, and the platform’s self-registration capability that could provide anonymous users with basic access credentials.
The vulnerability impacted hundreds of tables across several popular ServiceNow solutions commonly used by enterprises for IT service management, customer service management, human resources service delivery, and governance, risk, and compliance functions.
These systems routinely handle highly sensitive information including social security numbers, medical records, financial data, API keys, and proprietary business information.
ServiceNow Issues Comprehensive Security Response
Varonis researchers initially discovered and reported the vulnerability to ServiceNow in February 2024, following responsible disclosure practices.
ServiceNow responded by issuing a security update in May 2025 and officially assigned CVE-2025-3648 to the vulnerability on July 8, 2025.
The company has confirmed that no known cases of exploitation occurred before the patch was implemented.
To address the vulnerability, ServiceNow introduced several new security mechanisms, including Query Access Control Lists (ACLs) that restrict the types of queries users can execute on tables, and Security Data Filters that apply additional filtering based on user roles and security attributes.
These new protections specifically defend against blind query attacks where attackers attempt to extract information from database results without being able to directly view the values.
ServiceNow and Varonis both recommend that customers immediately review their custom and standard tables and implement the new security mechanisms to protect sensitive data from potential exposure.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability, dubbed "Count(er) Strike," affected the platform used by 85% of Fortune 500 companies and was relatively simple to exploit, requiring only minimal access to target systems.){kind=link}