ServiceNow instance unauthenticated table-query exploitation
Summary
ServiceNow disclosed a hosted-instance security issue on 2026-06-05 after detecting anomalous activity and evidence of successful instance-table queries against a subset of customers. The company told customers that, in certain circumstances, an unauthenticated user could gain greater access to ServiceNow instances than intended; at publication time the issue had no public CVE.
The durable threat-intelligence value is SaaS control-plane exposure: a platform endpoint-configuration issue can turn into unauthorized reads from customer instance tables, so responders need to scope affected instances, table access, integrations, and downstream secrets rather than treating the event as a conventional patch-only vulnerability.
Tags
- ops
- operations
- ServiceNow
- SaaS
- active exploitation
- unauthenticated access
- data exposure
- incident response
- control plane
Why this matters
- ServiceNow instances often hold ticket content, user data, CMDB records, workflow state, credentials or integration context, and incident / change-management history.
- ServiceNow reported successful queries against instance tables for a subset of customers, making this an access-and-data-review problem even though hosted customer instances were updated by the vendor.
- The reported affected scope includes customers on the Australia platform release or instances on earlier releases with certain configuration changes.
- There is no public actor attribution, malware payload, or CVE yet; keep follow-up claims separated from ServiceNow's notification and public reporting.
Operational characteristics
- Affected platform: ServiceNow hosted customer instances.
- Exploit primitive: unauthenticated access to an endpoint path that could allow greater-than-intended instance access and table queries.
- Vendor action: ServiceNow said it applied a security update to hosted customer instances on 2026-06-05 and changed endpoint configuration to limit access to authenticated users.
- Observed activity: ServiceNow reported anomalous activity and evidence of successful queries of instance tables against a subset of customers; impacted customers were notified.
- Affected configuration: customers on the Australia platform release, or customers that made certain configuration changes on releases before Australia, according to the ServiceNow notice quoted by The Hacker News.
- Attribution: unknown; no public campaign name or threat-actor cluster is established.
Defender heuristics
- If you operate ServiceNow, check whether your tenant received a vendor notification for this issue and preserve the notification, timestamps, and any vendor-provided query or table details.
- Review instance access, table API activity, unauthenticated request paths, unusual query volume, source IPs, and errors around the pre- and post-2026-06-05 update window.
- Scope sensitive tables first: users, groups, incidents, change records, CMDB assets, integrations, OAuth/application registry data, secrets-like variables, attachment metadata, and custom tables used by security or IT operations.
- Assume copied table data can be used for secondary attacks: rotate exposed integration credentials, review service-account permissions, and watch for phishing or help-desk social engineering using ticket and CMDB context.
- Preserve ServiceNow logs and export evidence before retention windows expire; coordinate with the vendor if hosted logs needed for scoping are not customer-accessible.
- Keep the case open for follow-up CVE, advisory, or exploitation details; do not infer actor attribution from Reddit or secondary discussion alone.
Related pages
- PAN-OS GlobalProtect CVE-2026-0257 exploitation
- Kali365 device-code phishing expansion
- Microsoft Teams external-chat phishing
Sources
- ServiceNow support advisory KB3067321: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3067321
- The Hacker News: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html