CVE-2025-3648 is a high-severity vulnerability affecting the ServiceNow Now Platform, identified as CWE-1220 (Insufficient Granularity of Access Control). The flaw arises from certain conditional Access Control List (ACL) configurations that allow both unauthenticated and authenticated users to perform range query requests to infer data within an instance that they should not have access to. This means that attackers can potentially extract sensitive information by exploiting weaknesses in how access controls are implemented and enforced, without necessarily having direct permissions to view that data. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. ServiceNow has responded by introducing enhanced access control frameworks in their Xanadu and Yokohama releases, including Query ACLs, Security Data Filters, and Deny-Unless ACLs, which provide more granular and restrictive access control capabilities. Additionally, a security update was delivered in May 2025 to help customers strengthen their ACL configurations. However, the vulnerability remains critical for instances that have not applied these updates or have misconfigured ACLs. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality due to unauthorized data inference, with no impact on integrity or availability. No known exploits are currently reported in the wild, but the ease of exploitation and the broad scope of affected systems make this a significant concern for organizations relying on the Now Platform for IT service management and other critical business processes.

For European organizations, the impact of CVE-2025-3648 can be substantial given the widespread adoption of ServiceNow's Now Platform across various sectors including government, finance, healthcare, and telecommunications. Unauthorized data inference could lead to exposure of sensitive personal data, intellectual property, or operational information, potentially violating GDPR and other data protection regulations. This could result in regulatory fines, reputational damage, and loss of customer trust. Furthermore, attackers leveraging this vulnerability could gain insights that facilitate further targeted attacks or fraud. The fact that unauthenticated users can exploit this vulnerability increases the risk of external threat actors accessing confidential data without any prior access credentials. European organizations with complex ACL configurations or those that have delayed applying the May 2025 security update are particularly at risk. The vulnerability also poses a risk to supply chain security where ServiceNow instances are integrated with other critical systems, potentially enabling lateral movement or data leakage across interconnected environments.

European organizations should immediately verify their ServiceNow Now Platform versions and ACL configurations. Applying the May 2025 security update from ServiceNow is critical to mitigate this vulnerability. Organizations should adopt the enhanced access control frameworks introduced in the Xanadu and Yokohama releases, specifically implementing Query ACLs, Security Data Filters, and Deny-Unless ACLs to enforce stricter and more granular access policies. It is essential to conduct a thorough audit of existing ACLs to identify and remediate any overly permissive or conditional rules that could be exploited. Regularly reviewing and testing ACL configurations using internal penetration testing or third-party security assessments can help detect potential inference channels. Additionally, organizations should monitor network traffic for unusual range query requests that could indicate exploitation attempts. Restricting access to the Now Platform management interfaces and enforcing strong authentication and authorization controls will further reduce risk. Finally, organizations should ensure that all relevant personnel are trained on secure ACL configuration best practices and maintain close communication with ServiceNow support for ongoing guidance and updates.