A newly discovered vulnerability in ServiceNow, identified as Count(er) Strike, allows low-privileged users to access restricted data improperly. This flaw can enable users to extract sensitive data from tables they are not authorized to view, raising significant security concerns for enterprises relying on the widely adopted cloud-based platform.
ServiceNow, a platform utilized by numerous sectors including healthcare, finance, and public organizations, employed Access Control Lists (ACLs) to regulate data access. However, the flaw, assigned the identifier CVE-2025-3648, was revealed by Varonis Threat Labs following their investigation in February 2025. Misconfigured or overly permissive ACLs appear to be the core issue contributing to this vulnerability.
Varonis’s findings highlight a crucial failing in the way ServiceNow handles multiple ACLs. Under the previous model, users could gain access if they satisfied any one of the conditions laid out by the ACLs—potentially allowing partial access to sensitive records. This included a record count that could be leveraged to reveal sensitive information. For further details on this issue, see the Varonis report here.
To mitigate the vulnerabilities posed by Count(er) Strike, ServiceNow has implemented ‘Deny Unless’ ACLs that require users to pass all ACLs for access. Additionally, they recommended users restrict enumeration queries using new Query ACLs that limit information leakage. Despite these developments, enterprises are urged to manually assess their ACL configurations to safeguard against potential exploits. Varonis reports no evidence of this vulnerability being actively exploited as of now, providing a narrow window for affected organizations to address the security concerns effectively.