CVE-2025-62607 identifies a vulnerability in the nautobot-app-ssot component of Nautobot, a network source of truth application. Prior to version 3.10.0, the application failed to enforce authentication on a critical configuration page, allowing unauthenticated attackers to access the ServiceNow public instance name (e.g., companyname.service-now.com). This exposure is limited to low-value information and does not disclose sensitive secrets such as usernames, passwords, or secret values. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), indicating a failure to restrict access to a function that should require authentication. The attacker cannot modify the instance name, set secrets, or access other Nautobot pages through this flaw. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a network attack vector with low complexity, no privileges required, no user interaction, and limited confidentiality impact. No integrity or availability impacts are present. The issue was publicly disclosed and patched in version 3.10.0, with no known exploits in the wild to date.

For European organizations, the primary impact of this vulnerability is limited to information disclosure of the ServiceNow instance name, which could be used by attackers as part of reconnaissance to identify targets for phishing, social engineering, or more targeted attacks against the ServiceNow platform. Since no sensitive credentials or configuration changes can be made, the direct risk is low. However, in environments where Nautobot is integrated with critical infrastructure or where ServiceNow instances manage sensitive workflows, even low-value information leakage can aid attackers in crafting more effective attacks. The lack of authentication on this function could also indicate potential gaps in security hygiene that might be exploited in other ways if combined with additional vulnerabilities. Organizations relying on affected versions should consider the exposure in the context of their threat models and the sensitivity of their ServiceNow deployments.

The primary mitigation is to upgrade nautobot-app-ssot to version 3.10.0 or later, where the authentication enforcement on the configuration page has been implemented. Until upgrade is possible, organizations should restrict network access to the Nautobot application, especially the configuration endpoints, using network segmentation, firewalls, or VPNs to limit exposure to trusted users only. Monitoring access logs for unusual or unauthenticated requests to the configuration page can help detect exploitation attempts. Additionally, reviewing and hardening authentication and access control policies around Nautobot and integrated systems like ServiceNow is recommended. Security teams should also ensure that secrets and credentials are stored securely and not exposed through other means. Regular vulnerability scanning and patch management processes should be enforced to prevent similar issues.