Published on: 2025-03-21

Intelligence Report: Hackers are targeting unpatched ServiceNow instances that exploit 3 separate year-old vulnerabilities – TechRadar

1. BLUF (Bottom Line Up Front)

Hackers are actively exploiting unpatched ServiceNow instances by leveraging a chain of three year-old vulnerabilities. These vulnerabilities, identified by researchers from Assetnote and tracked by GreyNoise, allow unauthorized access to sensitive databases. The resurgence of these attacks poses a significant threat to organizations that have not yet applied the necessary patches. Immediate action is required to mitigate potential data breaches and ransomware attacks.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The vulnerabilities in question, tracked as CVE identifiers, have been known for over a year. Despite the availability of patches, many ServiceNow instances remain unpatched, making them vulnerable to exploitation. The attack chain involves initial access through unpatched vulnerabilities, followed by payload injection and potential database access. The attacks have notably targeted organizations in Israel, Germany, Japan, and Lithuania. The exploitation of these vulnerabilities can lead to severe data breaches, including the exposure of user credentials and sensitive information.

3. Implications and Strategic Risks

The continued exploitation of these vulnerabilities poses several strategic risks, including:

• Compromise of sensitive organizational data, leading to potential financial losses and reputational damage.
• Increased likelihood of ransomware attacks, which could disrupt critical services and operations.
• Potential national security risks if government or critical infrastructure entities are targeted.
• Economic impacts due to the disruption of business processes and potential legal liabilities.

4. Recommendations and Outlook

Recommendations:

• Organizations using ServiceNow should immediately apply all available patches to protect against these vulnerabilities.
• Implement robust monitoring and incident response strategies to detect and mitigate potential intrusions.
• Enhance cybersecurity awareness and training programs to ensure staff can recognize and respond to threats.
• Consider regulatory and policy updates to mandate timely patch management and vulnerability assessments.

Outlook:

Best-case scenario: Organizations promptly patch their systems, significantly reducing the attack surface and preventing further exploitation.

Worst-case scenario: Continued exploitation leads to widespread data breaches and ransomware attacks, causing substantial economic and operational disruptions.

Most likely scenario: A mixed response from organizations, with some implementing patches and others remaining vulnerable, resulting in ongoing but reduced attack activity.

5. Key Individuals and Entities

The report mentions significant individuals and organizations involved in the discovery and analysis of these vulnerabilities:

• Assetnote
• GreyNoise
• Sead

These entities have played a crucial role in identifying and tracking the exploitation of the vulnerabilities, providing valuable insights for mitigation efforts.