Decoding the world of cybersecurity

ServiceNow investigates customer data exposure

ServiceNow has reportedly warned affected customers after unauthenticated access through a vulnerable API endpoint allowed attackers to query customer instance data.

ServiceNow investigates customer data exposure
Summary
  • ServiceNow has reportedly warned affected customers of unauthenticated access to customer instance data through a vulnerable API endpoint.
  • The detailed advisory appears to be behind ServiceNow’s customer support portal, limiting public verification.
  • The incident raises SaaS third-party risk concerns because workflow platforms can hold operational, employee, support, asset, and security data.

ServiceNow has reportedly warned affected customers after attackers exploited unauthenticated access through a vulnerable API endpoint to query data from customer instances.

The detailed customer advisory appears to sit behind ServiceNow’s support portal and was not publicly accessible at the time of drafting. Public reporting says ServiceNow applied a security update to hosted customer instances on 5 June after detecting anomalous activity linked to an issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.

The reported advisory says the security update changed the API endpoint configuration to limit access to authenticated users only. It also reportedly confirms that attackers successfully queried customer instance tables. ServiceNow is said to have opened support cases with affected customers, while customers that have not received a case are not believed to be affected.

The public facts remain incomplete. ServiceNow has not publicly listed the number of affected customers, the categories of data accessed, whether any European organisations are affected, how long the activity continued, or whether a CVE will be assigned. Administrators have been advised in public reporting to review logs for requests to a related list edit API endpoint and assess whether sensitive data may have been present in exposed records.

ServiceNow’s role in enterprise environments gives the reported exposure a wider risk profile. The platform is widely used for IT service management, workflow automation, asset management, employee services, security operations, customer support, and operational process management. Instance data can include support tickets, internal documentation, employee records, asset inventories, incident records, configuration details, and troubleshooting exchanges.

Those records are rarely treated with the same sensitivity as credential vaults or core production databases, yet they can carry useful operational intelligence. Support tickets may include system names, internal architecture, temporary credentials, API tokens, troubleshooting logs, employee contact details, access requests, and references to security controls. A query against instance tables can therefore produce more than ordinary business data.

The reported unauthenticated access pattern also underlines the risk of SaaS control-plane exposure. Organisations rely on major SaaS providers to operate securely, patch centrally, and maintain tenant isolation. That model has resilience advantages, but it concentrates risk in vendor-managed endpoints, APIs, and configurations that customers cannot directly inspect before a problem emerges.

Organisations using ServiceNow should identify whether they received a support case, preserve relevant logs, review sensitive table content, search for unusual API access, and assess whether credentials, tokens, secrets, or regulated personal data were present in potentially exposed records. Where support workflows have been used to exchange sensitive material, credential rotation and token revocation may be necessary even if the primary incident is contained.

The episode also strengthens the case for stronger data minimisation inside operational platforms. Workflow systems tend to become reservoirs of business context because they are convenient, searchable, and widely integrated. Over time, they collect records that were never intended to become part of a high-value data store.

Until ServiceNow publishes fuller details, the story should be handled carefully. The confirmed public record is limited, but the reported customer warning is enough to place the incident in the third-party risk and SaaS governance category for organisations that depend on the platform for operational workflows.

×