A new vulnerability in ServiceNow, dubbed Count(er) Strike, allows low-privileged users to extract sensitive data from tables to which they should not have access.
ServiceNow is a cloud-based platform that enables organizations to manage digital workflows for their enterprise operations. It is widely adopted across various industries, including public sector organizations, healthcare, financial institutions, and large enterprises.
The flaw was discovered by Varonis Threat Labs in February 2025 and assigned the CVE-2025-3648 identifier, and may impact configurations with misconfigured or overly permissive ACLs.
ServiceNow released additional access control frameworks in the Xanadu and Yokohama versions, released last month, to address the issue. However, all admins should review existing tables to ensure their data is properly locked down.
The Count(er) Strike flaw
ServiceNow utilizes Access Control Lists (ACLs) to restrict access to data within its tables. Each ACL evaluates four conditions when determining if a user should have access to a specific resource:
Required roles
Security attributes
Data conditions
Script conditions
... continue reading