CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform
A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.
AI Analysis
Technical Summary
CVE-2025-3648 is a high-severity vulnerability affecting the ServiceNow Now Platform, identified as CWE-1220 (Insufficient Granularity of Access Control). The flaw arises from certain conditional Access Control List (ACL) configurations that allow both unauthenticated and authenticated users to perform range query requests to infer data within an instance that they should not have access to. This means that attackers can potentially extract sensitive information by exploiting weaknesses in how access controls are implemented and enforced, without necessarily having direct permissions to view that data. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. ServiceNow has responded by introducing enhanced access control frameworks in their Xanadu and Yokohama releases, including Query ACLs, Security Data Filters, and Deny-Unless ACLs, which provide more granular and restrictive access control capabilities. Additionally, a security update was delivered in May 2025 to help customers strengthen their ACL configurations. However, the vulnerability remains critical for instances that have not applied these updates or have misconfigured ACLs. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality due to unauthorized data inference, with no impact on integrity or availability. No known exploits are currently reported in the wild, but the ease of exploitation and the broad scope of affected systems make this a significant concern for organizations relying on the Now Platform for IT service management and other critical business processes.
Potential Impact
For European organizations, the impact of CVE-2025-3648 can be substantial given the widespread adoption of ServiceNow's Now Platform across various sectors including government, finance, healthcare, and telecommunications. Unauthorized data inference could lead to exposure of sensitive personal data, intellectual property, or operational information, potentially violating GDPR and other data protection regulations. This could result in regulatory fines, reputational damage, and loss of customer trust. Furthermore, attackers leveraging this vulnerability could gain insights that facilitate further targeted attacks or fraud. The fact that unauthenticated users can exploit this vulnerability increases the risk of external threat actors accessing confidential data without any prior access credentials. European organizations with complex ACL configurations or those that have delayed applying the May 2025 security update are particularly at risk. The vulnerability also poses a risk to supply chain security where ServiceNow instances are integrated with other critical systems, potentially enabling lateral movement or data leakage across interconnected environments.
Mitigation Recommendations
European organizations should immediately verify their ServiceNow Now Platform versions and ACL configurations. Applying the May 2025 security update from ServiceNow is critical to mitigate this vulnerability. Organizations should adopt the enhanced access control frameworks introduced in the Xanadu and Yokohama releases, specifically implementing Query ACLs, Security Data Filters, and Deny-Unless ACLs to enforce stricter and more granular access policies. It is essential to conduct a thorough audit of existing ACLs to identify and remediate any overly permissive or conditional rules that could be exploited. Regularly reviewing and testing ACL configurations using internal penetration testing or third-party security assessments can help detect potential inference channels. Additionally, organizations should monitor network traffic for unusual range query requests that could indicate exploitation attempts. Restricting access to the Now Platform management interfaces and enforcing strong authentication and authorization controls will further reduce risk. Finally, organizations should ensure that all relevant personnel are trained on secure ACL configuration best practices and maintain close communication with ServiceNow support for ongoing guidance and updates.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Belgium
CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform
Description
A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.
AI-Powered Analysis
Technical Analysis
CVE-2025-3648 is a high-severity vulnerability affecting the ServiceNow Now Platform, identified as CWE-1220 (Insufficient Granularity of Access Control). The flaw arises from certain conditional Access Control List (ACL) configurations that allow both unauthenticated and authenticated users to perform range query requests to infer data within an instance that they should not have access to. This means that attackers can potentially extract sensitive information by exploiting weaknesses in how access controls are implemented and enforced, without necessarily having direct permissions to view that data. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. ServiceNow has responded by introducing enhanced access control frameworks in their Xanadu and Yokohama releases, including Query ACLs, Security Data Filters, and Deny-Unless ACLs, which provide more granular and restrictive access control capabilities. Additionally, a security update was delivered in May 2025 to help customers strengthen their ACL configurations. However, the vulnerability remains critical for instances that have not applied these updates or have misconfigured ACLs. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality due to unauthorized data inference, with no impact on integrity or availability. No known exploits are currently reported in the wild, but the ease of exploitation and the broad scope of affected systems make this a significant concern for organizations relying on the Now Platform for IT service management and other critical business processes.
Potential Impact
For European organizations, the impact of CVE-2025-3648 can be substantial given the widespread adoption of ServiceNow's Now Platform across various sectors including government, finance, healthcare, and telecommunications. Unauthorized data inference could lead to exposure of sensitive personal data, intellectual property, or operational information, potentially violating GDPR and other data protection regulations. This could result in regulatory fines, reputational damage, and loss of customer trust. Furthermore, attackers leveraging this vulnerability could gain insights that facilitate further targeted attacks or fraud. The fact that unauthenticated users can exploit this vulnerability increases the risk of external threat actors accessing confidential data without any prior access credentials. European organizations with complex ACL configurations or those that have delayed applying the May 2025 security update are particularly at risk. The vulnerability also poses a risk to supply chain security where ServiceNow instances are integrated with other critical systems, potentially enabling lateral movement or data leakage across interconnected environments.
Mitigation Recommendations
European organizations should immediately verify their ServiceNow Now Platform versions and ACL configurations. Applying the May 2025 security update from ServiceNow is critical to mitigate this vulnerability. Organizations should adopt the enhanced access control frameworks introduced in the Xanadu and Yokohama releases, specifically implementing Query ACLs, Security Data Filters, and Deny-Unless ACLs to enforce stricter and more granular access policies. It is essential to conduct a thorough audit of existing ACLs to identify and remediate any overly permissive or conditional rules that could be exploited. Regularly reviewing and testing ACL configurations using internal penetration testing or third-party security assessments can help detect potential inference channels. Additionally, organizations should monitor network traffic for unusual range query requests that could indicate exploitation attempts. Restricting access to the Now Platform management interfaces and enforcing strong authentication and authorization controls will further reduce risk. Finally, organizations should ensure that all relevant personnel are trained on secure ACL configuration best practices and maintain close communication with ServiceNow support for ongoing guidance and updates.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- SN
- Date Reserved
- 2025-04-15T13:30:21.572Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 686d42bf6f40f0eb72f85c07
Added to database: 7/8/2025, 4:09:35 PM
Last enriched: 7/8/2025, 4:24:32 PM
Last updated: 7/8/2025, 8:56:48 PM
Views: 2
Related Threats
CVE-2025-7216: Deserialization in lty628 Aidigu
MediumCVE-2025-7215: Cleartext Storage of Sensitive Information in FNKvision FNK-GU2
LowCVE-2025-7214: Risky Cryptographic Algorithm in FNKvision FNK-GU2
LowCVE-2025-7059: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jdegayojr Simple Featured Image
MediumCVE-2025-4606: CWE-620 Unverified Password Change in uxper Sala - Startup & SaaS WordPress Theme
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.