ServiceNow’s requires_authentication=false: The One Boolean That Exposed Enterprise Data Worldwide
ID: 4b031089-46db-55de-aec9-71ba263201c0
STIX ID: report--4b031089-46db-55de-aec9-71ba263201c0
Feed Name: Security Boulevard
ServiceNow shipped a REST API endpoint (/api/now/related_list_edit/create) with requires_authentication=false, allowing unauthenticated access to customer instance data. Attackers queried IT tickets, employee records, security incident reports, and embedded credentials; anomalous activity and confirmed queries were observed on June 2–3. ServiceNow patched the issue on June 5 after receiving a bug bounty report on April 22 and publicly disclosed the incident on June 9. Organizations are advised to review logs for the endpoint and IP 51.159.98.241, rotate any credentials stored in ServiceNow, and audit Scripted REST Resources for misconfigured authentication.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
