Full Report
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires customer access. "The update concerned a security issue that could allow an unauthenticated user, in
Analysis Summary
# Incident Report: ServiceNow Unauthenticated Table Access Exploitation
## Executive Summary
Unknown threat actors exploited a configuration flaw in ServiceNow’s Australian release and specific custom configurations to gain unauthorized access to hosted customer instances. The vulnerability allowed unauthenticated users to execute successful queries against instance tables, potentially exposing sensitive organizational data. ServiceNow has since remediated the issue via a security update and notified a subset of impacted customers.
## Incident Details
- **Discovery Date:** April 7, 2026 (Internal report); June 2026 (Detection of active exploitation)
- **Incident Date:** Ongoing from approximately April 2026 to June 5, 2026
- **Affected Organization:** ServiceNow (Service Provider) and a subset of its customers
- **Sector:** Technology / SaaS (Software as a Service)
- **Geography:** Global (with specific focus on the Australia platform release)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa April - June 2026
- **Vector:** Exploitation of a misconfigured/vulnerable endpoint.
- **Details:** Attackers exploited a security flaw that allowed unauthenticated users to gain "greater access than intended" to ServiceNow instances.
### Lateral Movement
- **Details:** The incident focused on unauthorized access to "instance tables." While traditional network lateral movement was not detailed, the flaw allowed attackers to move from an unauthenticated state to querying internal database tables of various customers.
### Data Exfiltration/Impact
- **Details:** ServiceNow confirmed "successful queries of instance tables" against a subset of customers. This implies the unauthorized viewing and potential exfiltration of record data stored within the platform.
### Detection & Response
- **April 7, 2026:** Vulnerability reportedly disclosed to ServiceNow by a third party.
- **June 5, 2026:** ServiceNow applied a security update to all hosted customer instances to limit endpoint access to authenticated users.
- **June 10, 2026:** Public disclosure of the incident and notification of impacted customers following the detection of anomalous activity.
## Attack Methodology
- **Initial Access:** Exploitation of an unprotected endpoint configuration allowing unauthenticated queries.
- **Persistence:** Not specified; likely reliant on the continued existence of the unpatched flaw across instances.
- **Privilege Escalation:** Unauthenticated access escalation to query-level permissions on instance tables.
- **Defense Evasion:** Not disclosed, though the activity was eventually caught by anomalous activity monitoring.
- **Credential Access:** Not required (unauthenticated flaw).
- **Discovery:** Probing for the "Australia" platform release or specific manual configuration changes in older releases.
- **Lateral Movement:** Not applicable in a traditional sense; unauthorized access across multi-tenant table structures.
- **Collection:** Direct querying of instance tables containing customer data.
- **Exfiltration:** Execution of successful queries to pull data from ServiceNow tables.
- **Impact:** Potential data exposure/breach of sensitive organizational records.
## Impact Assessment
- **Financial:** Not yet disclosed; potential regulatory fines or SLA credits.
- **Data Breach:** Confirmed "successful queries" against a subset of customers; volume and sensitivity of data remain unspecified.
- **Operational:** Minimal disruption to service, but necessitated a forced hotfix deployment by the provider.
- **Reputational:** Significant concern regarding the two-month delay between initial report (April) and remediation (June).
## Indicators of Compromise
- **Network indicators:** ServiceNow observed anomalous activity originating from unknown threat actor IPs (specific IPs not disclosed in the report).
- **File indicators:** N/A (Cloud-based configuration exploit).
- **Behavioral indicators:** Unusual query patterns against instance tables from unauthenticated sessions.
## Response Actions
- **Containment:** ServiceNow modified endpoint configurations to require authentication for previously open paths.
- **Eradication:** Deployment of a global security update to all hosted instances on June 5, 2026.
- **Recovery:** Notification of affected customers and provision of an advisory (KB3067321) for further configuration guidance.
## Lessons Learned
- **Severity Classification:** The delay between the April report and June patch suggests a potential misclassification of the vulnerability's severity.
- **Config Drift:** The impact on customers who "made certain configuration changes" highlights the risks of non-standard security configurations in SaaS environments.
## Recommendations
- **Authentication Enforcement:** Ensure all ServiceNow endpoints, particularly those interacting with database tables, strictly require authentication.
- **Update Management:** Customers on self-hosted or older versions should immediately verify they have reaching the "Australia" release or applied the June 5 update.
- **Monitoring:** Implement logging and alerting for unauthenticated requests directed at sensitive API endpoints or table identifiers.