CVE-2025-3648 is a high-severity vulnerability (CVSS 8.2) affecting the ServiceNow Now Platform, specifically impacting the Aspen version. The vulnerability stems from insufficient granularity in access control mechanisms, classified under CWE-1220. It allows both unauthenticated and authenticated users to perform range query requests that can infer sensitive instance data without proper authorization. This inference attack exploits conditional Access Control List (ACL) configurations that fail to adequately restrict data visibility. The vulnerability does not require user interaction and can be exploited remotely over the network without authentication, increasing its risk profile. ServiceNow has addressed this issue by introducing enhanced access control frameworks in subsequent platform releases (Xanadu and Yokohama), including Query ACLs, Security Data Filters, and Deny-Unless ACLs, which provide more precise control over data access. Additionally, a security update was released in May 2025 to improve ACL configurations for affected customers. While no known exploits are currently reported in the wild, the potential for unauthorized data inference poses a significant risk to confidentiality within affected ServiceNow instances.

For European organizations relying on the ServiceNow Now Platform Aspen version, this vulnerability could lead to unauthorized disclosure of sensitive business data, including potentially personal data protected under GDPR. The ability for unauthenticated actors to infer data increases the risk of data breaches, which could result in regulatory penalties, reputational damage, and operational disruptions. Given ServiceNow's widespread adoption in Europe for IT service management, HR, and customer service workflows, exploitation could impact multiple sectors including finance, healthcare, government, and critical infrastructure. The confidentiality breach could expose internal processes, customer information, or strategic data, undermining trust and compliance. Although integrity and availability are not directly affected, the indirect consequences of data leakage could lead to further targeted attacks or social engineering campaigns.

European organizations should immediately verify their ServiceNow platform version and upgrade from Aspen to later versions incorporating the enhanced access control frameworks (Xanadu or Yokohama). Where upgrading is not immediately feasible, organizations must review and tighten ACL configurations to prevent unauthorized range queries, leveraging ServiceNow's guidance and knowledge base articles. Implementing Query ACLs, Security Data Filters, and Deny-Unless ACLs is critical to enforce strict data access policies. Additionally, organizations should conduct thorough audits of current ACLs to identify and remediate overly permissive rules. Monitoring and logging of query patterns should be enhanced to detect anomalous range queries indicative of exploitation attempts. Network-level protections such as IP whitelisting and segmentation can reduce exposure. Finally, organizations should engage with ServiceNow support for tailored security updates and best practices to mitigate this vulnerability effectively.