On July 8, 2025, ServiceNow released a critical security update to address a vulnerability within the Now Platform that could lead to unauthorized access to sensitive data. This issue is related to misconfigurations in the Conditional Access Control Lists (ACLs), which could allow both authenticated and unauthenticated users to infer data they shouldn’t have access to.
This is particularly concerning for businesses handling confidential or regulated data. If ACLs are not configured properly, sensitive information could be exposed to individuals who shouldn’t be able to view it.
The vulnerability, tracked as CVE-2025-3648, allows unauthorized users to exploit poorly configured ACLs, particularly in cases where range queries — which request specific subsets of data — are not adequately restricted. These range queries could potentially reveal sensitive data, even if the user doesn’t have explicit permission to access it. This type of issue is known as data inference, where an attacker can “infer” or deduce information from the system by making certain queries, even without direct access to the data.
ServiceNow has also rolled out several enhancements as part of its Xanadu and Yokohama releases to resolve this issue and strengthen platform security. These updates introduce improved access control frameworks, including:
- Query ACLs – These provide more detailed control over who can query specific data, ensuring that only authorized users can retrieve particular subsets of information.
- Security Filters – These data filters restrict data visibility based on user roles and permissions, adding an extra layer of security.
- Deny-Unless ACLs – A stricter approach to access control that denies data access by default, unless certain conditions are explicitly met.
These measures are designed to prevent unauthorized data inference and ensure that sensitive information is only accessible to those with the proper clearance.
Staying on top of updates and following best practices for access control lists, you can help ensure that your organization’s data remains protected. If utilizing ServiceNow, it’s essential to review your ACL configurations to ensure they’re properly set up and secure. ServiceNow has published knowledgebase articles to help customers adjust their ACL settings, implement the latest security updates, and protect against vulnerabilities like this one.
For additional details including patching information, visit ServiceNow’s advisory post on their website.
Leave a Reply