ServiceNow disclosed a significant security flaw, CVE-2025-3648, with a CVSS score of 8.2, relating to data inference through conditional access control list (ACL) rules. Discovered by Varonis, the flaw permits both authenticated and unauthenticated users to access sensitive information via range query requests, even when ACLs deny access. The vulnerability affects the record count UI element on lists, potentially exposing confidential data across numerous tables. Exploitation is simple, requiring minimal access and posing risks to personally identifiable information (PII) and credentials.
The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules.
Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.
Most concerning, this vulnerability was relatively simple to exploit and required only minimal table access, such as a weak user account within the instance or even a self-registered anonymous user.
The company found that access to ServiceNow tables, while governed by ACL configurations, could be used to glean information, even in scenarios where access is denied due to a failed 'Data Condition' or 'Script Condition'.
Collection
[
|
...
]