Full Report
According to public reports, the activity appears to be associated with a Scripted REST Resource endpoint (/api/now/related_list_edit/create) that was allegedly configured with requires_authentication = false, potentially allowing unauthenticated access to backend functionalit...
Analysis Summary
# Incident Report: ServiceNow Unauthenticated Access via Scripted REST Resource
## Executive Summary
A software misconfiguration/0-day vulnerability within ServiceNow instances allowed unauthenticated attackers to access backend functionality via a specific REST API endpoint. The vulnerability stemmed from an improperly configured access control setting (`requires_authentication = false`) on a standard system endpoint. This resulted in unauthorized data queries and potential exfiltration across a subset of customer environments.
## Incident Details
- **Discovery Date:** June 2026 (Reported June 9, 2026)
- **Incident Date:** June 2026
- **Affected Organization:** Multiple ServiceNow customers
- **Sector:** Cross-sector (Any organization utilizing affected ServiceNow releases)
- **Geography:** Primarily Australia (instances running the "Australia" release)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2026
- **Vector:** Exploitation of an exposed REST Resource endpoint.
- **Details:** Attackers targeted the endpoint `hxxps://[instance].service-now[.]com/api/now/related_list_edit/create`. Due to a misconfiguration, this endpoint did not require a valid session or credentials.
### Lateral Movement
- **Details:** There is no public evidence of lateral movement to internal corporate networks; however, the vulnerability allowed direct access to backend table queries within the ServiceNow cloud environment.
### Data Exfiltration/Impact
- **Details:** Threat actors performed successful table queries. This allowed for the unauthorized viewing and extraction of records stored within affected ServiceNow instances.
### Detection & Response
- **How it was discovered:** Security researchers and customers identified anomalous web requests targeting the specific API endpoint.
- **Response actions taken:** ServiceNow notified affected customers directly and addressed the misconfiguration in the "Australia" release and pre-release configuration sets.
## Attack Methodology
- **Initial Access:** Software misconfiguration (Exposed resource abuse).
- **Persistence:** Not applicable; direct API exploitation.
- **Privilege Escalation:** None required; the endpoint bypassed authentication entirely.
- **Defense Evasion:** Activity was logged under the **"Guest" user account**, making it difficult to distinguish between legitimate guest traffic (if enabled) and malicious activity.
- **Credential Access:** Not required.
- **Discovery:** Automated scanning for the `/api/now/related_list_edit/create` path.
- **Lateral Movement:** N/A.
- **Collection:** Table queries through the REST API.
- **Exfiltration:** Standard HTTP responses containing queried table data.
- **Impact:** Unauthorized data exposure.
## Impact Assessment
- **Financial:** Not publicly disclosed.
- **Data Breach:** Confirmed "successful table queries" in a subset of environments; volume of data remains undisclosed.
- **Operational:** Potential downtime during remediation and configuration auditing.
- **Reputational:** Increased scrutiny on SaaS platform default security configurations.
## Indicators of Compromise
- **Network indicators:**
- `51.159.98[.]241` (Known attacking IP)
- **File indicators:** N/A (API-based attack)
- **Behavioral indicators:**
- Excessive or unusual requests to `/api/now/related_list_edit/create`.
- High volume of activity attributed to the "Guest" user account in system transaction logs.
## Response Actions
- **Containment:** Instances were patched or reconfigured to ensure `requires_authentication` was set to `true` for the affected endpoint.
- **Eradication:** ServiceNow identified and notified specific customers where successful data queries were observed.
- **Recovery:** Customers were advised to audit transaction logs for the specific IP address and "Guest" user activity.
## Lessons Learned
- **Key takeaways:** Default "unauthenticated" flags on API endpoints represent a high-risk surface area in SaaS environments.
- **What could have been done better:** Improved automated regression testing for security flags (ACLs) during the release of new platform versions (e.g., the Australia release).
## Recommendations
- **Audit Scripted REST APIs:** Regularly review all custom and system Scripted REST Resources to ensure `requires_authentication` is enabled unless explicitly required for public functions.
- **Guest Account Monitoring:** Monitor and alert on high-frequency transactions originating from the "Guest" user account.
- **IP Whitelisting:** Where possible, restrict access to administrative or sensitive API endpoints to known corporate IP ranges.
- **Log Enrichment:** Ensure logs capture enough context to distinguish between different types of unauthenticated traffic.