Full Report
Threat intelligence startup GreyNoise says it has observed a ‘notable resurgence’ in attack activity © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Vulnerability: Actively Exploited ServiceNow Vulnerabilities Leading to Database Access
## CVE Details
- CVE ID: CVE-2024-4879, CVE-2024-5178, CVE-2024-5217 (A trio of vulnerabilities)
- CVSS Score: Not specified in the text.
- CWE: Not specified in the text.
## Affected Systems
- Products: ServiceNow instances
- Versions: Unpatched instances (Vulnerabilities were disclosed/patched in May/July 2024, implying versions prior to July 2024 patches are affected).
- Configurations: Standard installations accessible to potential attackers.
## Vulnerability Description
A trio of vulnerabilities in the ServiceNow platform have been identified. Security researchers confirm these flaws can be chained together to achieve "full database access" on affected instances. ServiceNow instances often host sensitive organizational data, including PII and HR records.
## Exploitation
- Status: Active exploitation in the wild ("notable resurgence of in-the-wild activity").
- Complexity: Implied to be manageable, as they are actively being exploited by threat actors.
- Attack Vector: Network (Implied, as "in-the-wild activity" is being observed against instances).
## Impact
- Confidentiality: High (Potential for access to sensitive PII and HR records via full database access).
- Integrity: High (Ability to modify database contents).
- Availability: Medium/High (Depending on the scope of the compromise).
## Remediation
### Patches
- The vulnerabilities were initially disclosed in **May 2024** and patched by ServiceNow in **July 2024**. Organizations must apply the relevant security updates released in July 2024 or later.
### Workarounds
- No specific workarounds were detailed in the provided summary, other than applying the official patch.
## Detection
- **Indicators of Compromise (IoCs):** Increased malicious scanning/activity specifically targeting these ServiceNow vulnerabilities across the internet. GreyNoise observed activity heavily targeting systems based in Israel (70% of recent activity), with scans also seen in Germany, Japan, and Lithuania.
- **Detection Methods and Tools:** Threat intelligence platforms monitoring for signatures associated with exploitation attempts targeting CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. GreyNoise confirmed tracking of active exploitation.
## References
- Vendor Advisories: ServiceNow advisories released in May/July 2024.
- Relevant Links:
- GreyNoise Blog Post: hxxps://www.greynoise.io/blog/in-the-wild-activity-targeting-critical-servicenow-vulnerabilities
- Resecurity Warning (Regarding chaining): hxxps://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign
- Source Article: hxxps://techcrunch.com/2025/03/20/hackers-are-ramping-up-attacks-using-year-old-servicenow-security-bugs-to-break-into-unpatched-systems/