Threat Research

Count(er) Strike – Data Inference Vulnerability in ServiceNow

Varonis
Count(er) Strike – Data Inference Vulnerability in ServiceNow

Varonis Threat Labs discovered a critical vulnerability named Count(er) Strike in ServiceNow’s platform that allowed minimal-access users to infer and exfiltrate sensitive data across multiple tables. ServiceNow addressed the issue by releasing security updates and introducing new access control mechanisms like Query ACLs and Security Data Filters. #CounterStrike #ServiceNow #CVE-2025-3648

Keypoints

  • Varonis researchers identified a high-severity vulnerability in ServiceNow’s record count UI that enables data enumeration and exposure with minimal access.
  • The vulnerability, named Count(er) Strike, affects multiple common ServiceNow tables and solutions, putting PII, credentials, financial, and other sensitive data at risk.
  • This flaw can be exploited by any user within an instance, including self-registered or anonymous users, without needing privilege escalation.
  • ServiceNow organizes data in tables protected by ACLs; however, ACL configurations with empty or overly permissive role and security attribute conditions are vulnerable.
  • Attackers leverage query parameters and enumeration techniques on list pages to infer record contents and automate data exfiltration using scripts.
  • Features such as dot-walking and self-registration increase the vulnerability’s impact by expanding accessible related data and entry points.
  • ServiceNow responded by issuing a CVE (CVE-2025-3648) and releasing security patches plus new controls including Query ACLs and Security Data Filters.

MITRE Techniques

  • [T1087] Account Discovery – Exploited self-registration to gain access to instances and enumerate user accounts. (“ServiceNow’s self-registration feature allows new users to create accounts and access an instance without prior administrator approval.”)
  • [T1213] Data from Information Repositories – Used enumeration of record counts and query parameters on tables to infer and retrieve sensitive data. (“When a threat actor encounters a table page displaying the total number of records, they can use query parameters to infer detailed data through enumeration.”)
  • [T1056] Input Capture – Automated enumeration and data exfiltration were performed through scripts exploiting query filtration mechanisms. (“A threat actor can automate this process by writing a simple script for enumeration, allowing them to retrieve full record data from table.”)

Indicators of Compromise

  • [URLs] ServiceNow instance endpoints used for enumeration – example: {my_company}.service-now.com/task_list.do, {my_company}.service-now.com/{table_name_users_list.do}?sysparm_query=active=false
  • [CVE] Vulnerability identifier – CVE-2025-3648 for the Count(er) Strike vulnerability

Read more: https://www.varonis.com/blog/counter-strike-servicenow