GoKawiilServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.
The company quietly warned impacted customers through a support bulletin and direct support cases after detecting "anomalous activity" related to the issue.
The bulletin, which is hidden behind ServiceNow's customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026.
"On June 5, 2026, ServiceNow applied a security update to hosted customer instances," reads the support bulletin.
"The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended."
The company says this security update changes the API endpoint configuration to limit access to authenticated users only.
ServiceNow also confirmed that attackers exploited this flaw to successfully query the customer instance tables.
While ServiceNow did not disclose which data was accessed during the attacks, instances commonly store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.
Support case information has become an increasingly popular target for threat actors, as tickets can contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.
According to the advisory, ServiceNow has now opened support cases with affected customers. If a customer has not received one, they are not believed to be affected by the incident.
... continue reading