Critical ServiceNow RCE flaws actively exploited to steal credentials

Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks.

This malicious activity was reported by Resecurity, which, after monitoring it for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms.

Although the vendor released security updates for the flaws on July 10, 2024, tens of thousands of systems potentially remain vulnerable to attacks.

Exploitation details

ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations.

It is widely adopted across various industries, including public sector organizations, healthcare, financial institutions, and large enterprises. FOFA internet scans return nearly 300,000 internet-exposed instances, reflecting the product's popularity.

On July 10, 2024, ServiceNow made hotfixes available for CVE-2024-4879, a critical (CVSS score: 9.3) input validation flaw enabling unauthenticated users to perform remote code execution on multiple versions of the Now Platform.

The next day, on July 11, Assetnote researchers who discovered the flaw published a detailed write-up about CVE-2024-4879 and two more flaws (CVE-2024-5178 and CVE-2024-5217) in ServiceNow that can be chained for full database access.

Soon, GitHub was flooded with working exploits based on the write-up and bulk network scanners for CVE-2024-4879, which threat actors almost immediately leveraged to find vulnerable instances, reports Resecurity.

The ongoing exploitation seen by Resecurity utilizes a payload injection to check for a specific result in the server response, followed by a second-stage payload that checks the database contents.

If successful, the attacker dumps user lists and account credentials. Resecurity says in most cases, these were hashed, but some of the breached instances exposed plaintext credentials.

Resecurity has seen elevated chatter about the ServiceNow flaws on underground forums, especially by users seeking access to IT service desks and corporate portals, indicating a high interest from the cybercrime community.

ServiceNow has made fixes available for all three vulnerabilities earlier this month in separate bulletins for CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

Users are recommended to check the fixed version indicated on the advisories and make sure that they have applied the patch on all instances or do it as soon as possible if they haven't.