Full Report
ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances. [...]
Analysis Summary
# Incident Report: ServiceNow Unauthenticated API Data Exposure
## Executive Summary
ServiceNow identified and mitigated a security incident involving an unauthenticated access flaw within a specific REST API endpoint. Attackers exploited this vulnerability to query data from customer instances, potentially accessing sensitive enterprise information including IT tickets, employee records, and system configurations. ServiceNow has since deployed a security update to restrict API access to authenticated users and is working directly with affected customers via support cases.
## Incident Details
- **Discovery Date:** June 5, 2026 (Date of security update deployment)
- **Incident Date:** Ongoing prior to June 5, 2026
- **Affected Organization:** ServiceNow (ServiceNow Australia platform release and specific legacy configurations)
- **Sector:** Information Technology / SaaS
- **Geography:** Global (with specific mentions of the Australia platform release)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to June 5, 2026.
- **Vector:** Exploitation of an unauthenticated REST API endpoint (`/api/now/related_list_edit/create`).
- **Details:** The endpoint was allegedly configured with `requires_authentication=false`, allowing external actors to send requests without credentials.
### Lateral Movement
- **Details:** No internal lateral movement within the ServiceNow corporate network was reported; attackers moved horizontally across various customer instances accessible via the public internet.
### Data Exfiltration/Impact
- **Details:** Attackers successfully queried customer instance tables. Potential exfiltrated data includes IT support tickets (which often contain API tokens/credentials), employee records, internal documentation, asset inventories, and security incident reports.
### Detection & Response
- **Detection:** ServiceNow detected "anomalous activity" related to the API endpoint.
- **Response:**
- June 5, 2026: Applied a security update to all hosted instances to force authentication (`requires_authentication=true`).
- Notification: Opened direct support cases with affected customers.
- Investigation: Ongoing evaluation of whether to issue a CVE.
## Attack Methodology
- **Initial Access:** Exploitation of Brooke/Insecure API configuration (CWE-306: Missing Authentication for Critical Function).
- **Persistence:** Not applicable; the attack relied on direct API queries.
- **Privilege Escalation:** Gaining "greater access to ServiceNow instances than intended" through unauthenticated queries.
- **Defense Evasion:** Noted "anomalous activity" suggests attackers attempted to blend with standard API traffic until detected by behavioral monitoring.
- **Discovery:** Target discovery likely involved automated scanning for the specific vulnerable endpoint across ServiceNow subdomains.
- **Collection:** Querying of internal database tables via the REST API.
- **Exfiltration:** Standard HTTP/REST response data transfer.
## Impact Assessment
- **Financial:** Unknown; potential for regulatory fines (GDPR/APRA) depending on the volume of PII/PHI exposed.
- **Data Breach:** High potential. Exposure of sensitive enterprise data, metadata, and potentially "secrets" (tokens/passwords) stored within IT tickets.
- **Operational:** Low direct disruption; however, downstream risk is high if attackers use stolen credentials to access customer environments.
- **Reputational:** Moderate; the company quietly patched the issue behind a login portal, leading to criticism regarding transparency.
## Indicators of Compromise
- **Network Indicators:**
- `51[.]159[.]98[.]241` (Reported source IP for malicious API requests)
- **Behavioral Indicators:**
- Frequent, unauthenticated GET/POST requests directed at `hxxps[:]//[instance-name].service-now.com/api/now/related_list_edit/create`.
- Spikes in outbound data volume from the specific API endpoint.
## Response Actions
- **Containment:** Deployed a platform-wide patch on June 5, 2026, to change the API endpoint configuration to limit access to authenticated users only.
- **Eradication:** Disabled the vulnerable configuration for customers on the "Australia" release and legacy versions.
- **Recovery:** Notifying only impacted customers via the support portal to review their logs for specific IOCs.
## Lessons Learned
- **Visibility:** Security updates hidden behind login portals can delay administrator response and transparency.
- **Configuration Management:** Critical API endpoints must default to "Authenticated Only" regardless of version or regional platform releases.
- **Support Ticket Security:** This incident highlights the risk of storing sensitive credentials and tokens in plain text within IT support tickets, which are a high-value target for threat actors.
## Recommendations
- **Audit:** All ServiceNow administrators should review system logs for API calls to `/api/now/related_list_edit/create` originating from unauthorized IPs prior to June 5, 2026.
- **Credential Rotation:** If evidence of access is found, immediately rotate any API keys, tokens, or passwords that may have been stored in support tickets or documentation.
- **Hardening:** Ensure all REST API endpoints are reviewed for the `requires_authentication` attribute, specifically on custom or legacy configurations.
- **Monitoring:** Implement alerting for high-volume data queries from unauthenticated sources or anomalous IP ranges.