Attacks exploiting critical ServiceNow RCE bugs underway

UPDATE (July 30): ServiceNow said it has not observed the activity mentioned by Resecurity and BleepingComputer to instances ServiceNow hosts, but encouraged self-hosted and ServiceNow-hosted customers to apply relevant patches it deployed.

It is important to note that these are not new vulnerabilities, but rather were previously addressed and disclosed in CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. 

Numerous organizations around the world, including government agencies, energy providers, software development companies, and data centers, have been compromised in ongoing attacks chaining a trio of now-addressed ServiceNow Now Platform vulnerabilities, two of which are critical in severity, reports BleepingComputer.

Identification of the critical arbitrary code execution bugs, tracked as CVE-2024-4879 and CVE-2024-5217, as well as the medium severity flaw, tracked as CVE-2024-5178, has been followed by widespread network scanning for vulnerable instances, which have been targeted with a payload injection for server response result checking prior to second-stage payload deployment, a Resecurity analysis showed. Successful compromise has mostly resulted in the exposure of hashed user lists and account credentials although some instances leaked plaintext credentials, according to Resecurity researchers, who also observed elevated interest in the flaws from cybercriminals who have been looking to secure IT service desk and corporate portal access.