A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.

To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.

Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.

Customers, please review the following KB Articles for further guidance:
  *  (Requires NowSupport login)  https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494 
  *  (Requires NowSupport login)  https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712 
  *   https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567

CVE Database V5

Detailed information about CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform affecting ServiceNow Now Platform. Get

CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform

Bitchat MITM Flaw

Source: https://www.supernetworks.org/pages/blog/agentic-insecurity-vibes-on-bitchat

The 'Bitchat MITM Flaw' refers to a man-in-the-middle (MITM) vulnerability reported in the Bitchat platform, as discussed in a recent Reddit NetSec post linking to an external blog on supernetworks.org. Although detailed technical specifics are scarce, the designation as a MITM flaw implies that an attacker could intercept, modify, or eavesdrop on communications between users of Bitchat without their knowledge. MITM vulnerabilities typically arise from weaknesses in encryption protocols, improper certificate validation, or insecure network communication channels. The lack of affected versions and patch information suggests that this flaw is either newly discovered or not yet fully analyzed or remediated. The minimal discussion level and low Reddit score indicate limited community validation or exploitation evidence at this time. However, the medium severity assigned suggests that the flaw could allow attackers to compromise confidentiality and integrity of user communications, potentially leading to data leakage, impersonation, or unauthorized access. Since Bitchat is presumably a communication platform, the flaw could undermine user trust and expose sensitive conversations to adversaries capable of network interception.

Reddit NetSec

Detailed information about Bitchat MITM Flaw. Get real-time updates, technical details, and mitigation strategies.

Bitchat MITM Flaw - Live Threat Intelligence - Threat Radar | OffSeq.com

Bitchat MITM Flaw

Reddit Discussion: Bitchat MITM Flaw

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3  and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

CVE-2025-6771 is a high-severity vulnerability classified as CWE-78, which corresponds to OS Command Injection, found in Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.5.0.2, 12.4.0.3, and 12.3.0.3. This vulnerability allows a remote attacker who has already authenticated with high privileges to execute arbitrary operating system commands on the affected system. The flaw arises from improper neutralization of special elements in OS commands, enabling the attacker to inject malicious commands that the system executes with the privileges of the vulnerable application. Given the CVSS 3.1 base score of 7.2, the vulnerability is considered high severity, reflecting its potential to compromise confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requiring low attack complexity (AC:L), but it requires the attacker to have high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. Exploiting this vulnerability could lead to full remote code execution, allowing attackers to manipulate system processes, access sensitive data, or disrupt services. No public exploits are currently known in the wild, and no official patches or mitigation links have been published yet. However, the presence of this vulnerability in a mobile endpoint management product used to control and secure mobile devices presents a significant risk, especially in enterprise environments where such tools are critical for device management and security enforcement.

Detailed information about CVE-2025-6771: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Ivanti Endpoint M

CVE-2025-6771: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Ivanti Endpoint Manager Mobile - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6771: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Ivanti Endpoint Manager Mobile

A potential security vulnerability has been identified in the HP Support Assistant, which allows a local attacker to escalate privileges via an arbitrary file deletion.

CVE-2025-43019 is a security vulnerability identified in HP Inc.'s HP Support Assistant software. The vulnerability is classified under CWE-269, which pertains to improper privilege management. Specifically, this flaw allows a local attacker with limited privileges to escalate their privileges by exploiting an arbitrary file deletion capability within the software. The attack vector requires local access (AV:L), and the attacker must have low privileges (PR:L) but does not require user interaction (UI:N). The vulnerability has a medium complexity (AC:L) and partial impact on confidentiality, integrity, and availability, with a high impact on availability (VA:H). The vulnerability does not affect confidentiality or integrity significantly but can lead to denial of service or disruption of system operations due to the deletion of critical files. The vulnerability is present in certain versions of HP Support Assistant, though the exact affected versions are referenced in HP's security bulletin and not detailed here. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on July 8, 2025, and has a CVSS 4.0 base score of 5.8, indicating a medium severity level. The core issue is improper privilege management, allowing an attacker to delete arbitrary files, which could lead to privilege escalation or system instability.

Detailed information about CVE-2025-43019: CWE-269 Improper Privilege Management in HP Inc. HP Support Assistant affecting HP Inc. HP Support Assistant. Get rea

CVE-2025-43019: CWE-269 Improper Privilege Management in HP Inc. HP Support Assistant - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-43019: CWE-269 Improper Privilege Management in HP Inc. HP Support Assistant

A vulnerability was found in code-projects Library System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /approve.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7185: SQL Injection in code-projects Library System affecting code-projects Library System. Get real-time updates, technical

CVE-2025-7185: SQL Injection in code-projects Library System

CVE-2025-7185: SQL Injection in code-projects Library System

Description

Technical Details

Related Threats

CVE-2025-3648: CWE-1220: Insufficient Granularity of Access Control in ServiceNow Now Platform

CVE-2025-6771: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Ivanti Endpoint Manager Mobile

CVE-2025-43019: CWE-269 Improper Privilege Management in HP Inc. HP Support Assistant

CVE-2025-7184: SQL Injection in code-projects Library System

CVE-2025-5464: CWE-532 Insertion of Sensitive Information into Log File in Ivanti Connect Secure

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility