A newly disclosed high-severity vulnerability in ServiceNow’s cloud platform, dubbed Count(er) Strike, could have allowed malicious actors to exfiltrate personally identifiable information, credentials, and other proprietary data from hundreds of tables with minimal access.
Discovered by Varonis Threat Labs in February 2024 and formally tracked as CVE-2025-3648 on July 8, 2025, this vulnerability exploited the record-count user interface element on list pages to infer sensitive values through enumeration and query filters.
ServiceNow issued a patch in May 2025, but before that update, any user with at least basic table access— including self-registered anonymous accounts—could repeatedly query protected tables and reconstruct entire records digit by digit.
Varonis researchers first noticed inconsistent behavior in ServiceNow list pages where some denied-access responses displayed only a blank security warning, while others reported how many rows had been removed by security constraints.
By toggling query filters on fields such as sys_class_name or record description, the team observed that the platform’s Access Control List (ACL) engine handled “Data Condition” and “Script Condition” failures by leaking aggregated counts, even when actual records remained hidden.
This discrepancy revealed an inadvertent side channel: attackers could enumerate fields character by character by issuing successive queries that tested letter ranges or string containment.
Upon notification by Varonis, ServiceNow introduced two new ACL types: “Query ACLs” to regulate allowed operators and value ranges, and “Security Data Filters” to transparently suppress record counts and hide removed rows without signaling their removal to the requester.
Although ServiceNow’s ACL framework is highly granular—providing “Required Roles,” “Security Attributes,” “Data Conditions,” and “Script Conditions”—the design allowed at least one overly permissive ACL on many tables, inadvertently granting enough visibility to infer sensitive data.
No special plugins or admin privileges were required to exploit Count(er) Strike. A threat actor simply navigated to a list page, captured the “grand_total_rows” value embedded in the HTML, and appended sysparm_query parameters with operators like STARTSWITH, CONTAINS, or equality checks.
By automating requests that probed for substrings in fields such as short_description or sys_id, attackers could zero in on individual characters.
ServiceNow creates connections between tables using reference fields, which allow records to be shared across different tables
For example, filtering incidents with descriptionCONTAINSpassword would return a count if any matching record existed.
Refining that filter to STARTSWITHpasswor and incrementally adding letters allowed full reconstruction of the underlying text.
Administrators should also review self-registration settings and disable or tightly control public onboarding to prevent unauthorized accounts from leveraging this vulnerability.
Extending this technique via dot-walking—following reference fields to pull related table data—and combining it with ServiceNow’s optional self-registration feature dramatically widened the blast radius.
In instances where public self-registration was enabled, even anonymous users could register, log in, and execute enumeration against core tables like task, sys_user, and custom application tables that stored HR, financial, or regulatory data.
ServiceNow reports no known in-the-wild exploitation of Count(er) Strike prior to the May 2025 patch.
Upon notification by Varonis, ServiceNow introduced two new ACL types: “Query ACLs” to regulate allowed operators and value ranges, and “Security Data Filters” to transparently suppress record counts and hide removed rows without signaling their removal to the requester.
Customers are urged to audit both standard and custom table ACLs to ensure that “Required Roles” and “Security Attribute” conditions are never left empty or overly permissive.
New Query ACL rules can restrict operations to “query_match” operators such as EQUALS or IN, blocking range-based queries that enable enumeration.
Security Data Filters layer additional in-query constraints to remove disallowed records before counts are returned.
Administrators should also review self-registration settings and disable or tightly control public onboarding to prevent unauthorized accounts from leveraging this vulnerability.
ServiceNow reports no known in-the-wild exploitation of Count(er) Strike prior to the May 2025 patch.
Nonetheless, organizations are strongly advised to apply the update immediately, verify that all tables enforce robust access controls, and monitor for unusual enumeration patterns in their instance logs to guard against overlooked exposures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…