ServiceNow Breach: Customer Data Exposed Through Unauthenticated API Access
ID: 5dc74923-7381-5e54-9285-1a81fcb239f2
STIX ID: report--5dc74923-7381-5e54-9285-1a81fcb239f2
Feed Name: SOCRadar Blog
ServiceNow disclosed malicious unauthorized access to some customer instances via a reportedly unauthenticated API endpoint (/api/now/related_list_edit/create), affecting customers on the Australia platform release and certain older-release configurations; ServiceNow applied a security update (KB3067321) on June 5, 2026. The report recommends confirming impact with ServiceNow support, validating the remediation, reviewing logs for the endpoint and suspicious IPs (notably 51.159.98.241), rotating exposed secrets, and auditing Scripted REST APIs, ACLs, and access policies.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
