Cybercriminals are ramping up their efforts to exploit three critical ServiceNow vulnerabilities, with fresh attacks surfacing nearly a year after the flaws were first uncovered. Security researchers warn that companies running unpatched ServiceNow instances are now prime targets.
Threat intelligence startup GreyNoise sounded the alarm this week, reporting a surge in real-world exploitation attempts aimed at the trio of vulnerabilities—CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217. All three were initially exposed by cybersecurity firm Assetnote back in May 2024, with ServiceNow issuing patches two months later. Despite that, many organizations still haven’t secured their systems.
According to GreyNoise, attackers are now actively scanning and targeting vulnerable ServiceNow instances, with the past week seeing a significant spike in malicious activity. Worryingly, the majority of these attacks—about 70%—were directed at systems located in Israel, though breaches were also spotted in Germany, Japan, and Lithuania.
The real danger lies in how these vulnerabilities interact. GreyNoise confirmed that, just as Assetnote warned last year, the flaws can be chained together, giving attackers full database access to exposed ServiceNow platforms.
That’s especially concerning for businesses, as ServiceNow is widely used to store sensitive employee data, including personally identifiable information (PII) and human resources records. A successful breach could leave highly confidential information exposed, raising the stakes for companies across industries.
While ServiceNow insists that no customers have reported damage from this latest wave of attacks, the threat is real. Erica Faltous, a spokesperson for ServiceNow, acknowledged that the company became aware of the vulnerabilities nearly a year ago but emphasized: “To date, we have not observed any customer impact from an attack campaign.”
Global Targets Include Energy, Finance, and Government Sectors
Still, warnings from other cybersecurity firms paint a more troubling picture. Following the initial disclosure, Resecurity reported seeing foreign threat actors attempting to exploit the same vulnerabilities, targeting a wide range of organizations—from energy companies and data centers to a Middle Eastern government agency and even software developers.
In a separate report published in July 2024, cybersecurity firm Imperva revealed it had observed exploitation attempts spanning 6,000 websites across multiple industries. Financial services companies appeared to be a particular focus, raising concerns about potential breaches in highly regulated sectors.
As attackers renew their focus on these year-old flaws, experts are urging organizations to double-check their ServiceNow instances and apply patches immediately. The longer these vulnerabilities go unaddressed, the greater the risk of a costly data breach.
