,

Patch now! ServiceNow vulnerabilities under active exploitation

Up to 42,000 ServiceNow systems may be at risk of compromise.

The Cybersecurity & infrastructure Security Agency (CISA) has added two ServiceNow vulnerabilities to their catalog of Known Exploited Vulnerabilities. Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by August 19, 2024, as per BOD 22-01.

ServiceNow is a software company that provides a cloud-based, AI-driven platform for automating multiple management workflows in enterprises. Researchers claim anywhere from 13,000 to 42,000 ServiceNow systems may be at risk of compromise.

The names of the affected releases are Utah, Vancouver and Washington.

ReleaseFixed Versions
Utah– Utah Patch 10 Hot Fix 3
– Utah Patch 10a Hot Fix 2
– Utah Patch 10b Hot Fix 1
Vancouver– Vancouver Patch 6 Hot Fix 2
– Vancouver Patch 7 Hot Fix 3b
– Vancouver Patch 8 Hot Fix 4
– Vancouver Patch 9 Hot Fix 1
– Vancouver Patch 10
Washington– Washington DC Patch 1 Hot Fix 3b
– Washington DC Patch 2 Hot Fix 2
– Washington DC Patch 3 Hot Fix 2
– Washington DC Patch 4
– Washington DC Patch 5

Users can ensure that their instance is running the latest patch level by following the instructions in the ServiceNow Knowledge Base article “Patches and updates“.

Three security flaws were found and responsibly disclosed on May 14, 2024, and patches were released during the June 2024 patching cycle.

A day after ServiceNow published the KB articles about the vulnerabilities, researchers published a Proof-of-Concept (PoC). In the PoC, the researchers chained three vulnerabilities to achieve code execution. The following CVEs were assigned for these issues: ‍CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

As as we have seen before it doesn’t take long for cybercriminals to turn a PoC into active exploitation. These vulnerabilities allow an attacker to gain unauthorized access to the ServiceNow platform, enable privilege escalation, and allow arbitrary data access, respectively.

Exploitation attempts mainly target the financial services industry, with two distinctive payloads. One command shows database users and passwords and another looks for remote code execution possibilities.

All three vulnerabilities can be found and patched with ThreatDown Vulnerability Assessment and Patch Management.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.