ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Publish Date: 2026-06-10 03:02:00
Source Domain: thehackernews.com
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances.
“On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” the company revealed in an advisory that requires customer access. “The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”
The security update makes changes to an endpoint configuration to limit this access to authenticated users. The security flaw currently does not have a CVE identifier. Details of the issue first emerged on Reddit.
ServiceNow said it detected anomalous activity relating to the security issue, and that it observed evidence of successful queries of instance tables against a “subset of customers.” Impacted customers have been notified, it added.
“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” it noted.
A Reddit comment from a user named “d3s7iny” claimed that its security team reported the vulnerability to ServiceNow, adding that the software company had been aware of the problem internally since April 7, 2026. For about two months, ServiceNow is said to have classified it as a non-urgent issue, with plans to remediate it in a future update.
When reached for comment, a ServiceNow spokesperson said “our main priority was to reach out directly to the subset of customers this [incident] affected, it was not broad.”
The company has since publicly acknowledged in an advisory that “a subset of customer instances were queried successfully as part of this activity.” The malicious activity is said to have commenced on June 2, 2026.
“On June 3-4, 2026, customers shared submissions to their bug bounty programs…
