CVE-2025-3648

July 10, 2025

Minutes Read

Unauthorized Data Exposure via Range Queries in ServiceNow ACLs

Security Advisory

July 10, 2025

Minutes Read

Unauthorized Data Exposure via Range Queries in ServiceNow ACLs

This is some text inside of a div block.

Minutes Read

Kudelski Security Team

Find out more

table of contents

Share on

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Summary

A vulnerability has been identified in the ServiceNow Platform that may allow unauthenticated or authenticated users to infer data they should not have access to. This occurs under certain misconfigured or overly permissive access control list (ACL) conditions, specifically involving range query requests. In response, ServiceNow has:

Deployed a May 2025 security update across all supported instances to harden ACL configurations and restrict unauthorized data exposure.
Introduced new ACL frameworks in Xanadu and Yokohama platform releases, including Query ACLs, Security Data Filters, and Deny-Unless ACLs.
Added tooling to help instance admins enforce consistent access rules going forward.

Customers are urged to validate the update and review their ACL configurations, particularly if their instances rely on public roles or include custom access logic.

A CVE identifier is pending coordinated disclosure with external security researchers.

Affected Systems and/or Applications:

All supported ServiceNow platform versions, including:
- Washington DC and earlier, which do not support Deny-Unless ACLs.
- Xanadu and above, which include enhanced security mechanisms.
Instances with:
- Custom tables or fields not protected by field-specific ACLs
- Deactivated or modified default ACLs
- Use of the public role without restrictions

Technical Details

Under certain ACL configurations, users could perform range queries (e.g., queries that return subsets of records) against unsecured fields or tables. This could allow them to infer data values even without full read permissions.

ServiceNow’s Remediation Actions

As of May 2025, ServiceNow applied a platform-wide update that includes:

Default Deny Behavior for query_range ACLs:
The global *.* query_range ACL now denies access unless overridden by a more specific ACL.
Auto-Generated ACLs:
New query_range and read ACLs were created based on current user permissions to preserve functionality while enforcing security.
Public Role Changes:
Certain ACLs that previously granted limited access to unauthenticated users via the public role have been updated or modified. Roles were changed to nobody where appropriate.
New Script Tooling – QueryRangeACLAuditor:
A Script Include was installed in all instances. Admins can use this to reapply the ACL logic to new fields or tables.
Read ACL Adjustments:
Additional ACLs were deployed to preserve expected functionality even with the tightened query_range logic.
Field-Type Exceptions:
Certain fields (e.g., short_description, html, ip_address) continue to allow access based on pre-existing rules. Customers should manually review these if sensitive data is stored within them.

Mitigation

Immediate Validation Steps

Validate Security Attributes (sys_security_attribute Table)

Ensure these attributes exist and are set to True:

Attribute Name	sys_id
HasRightsToRea d	7e1a092793 0102102504 ff92f18918 26
HasRightsToRea dIsTrue	ddb311e393 0102102504 ff92f18918 c9
UserIsAuthentic atedAndHasRig htsToRead	30b1557ea3 dc6210103d a1fdc31e61 28

Validate ACLs in the sys_security_acl Table

Look for ACLs that apply the new rules. Key entries include:

ACL Name	sys_id	Operation	Type
.	5c3e8c50935502102504ff92f189187c	query_range	Deny-Unless (modified role to nobody)
.	7fce54b64ff42210ee1a3c11b1ce0b97	query_range	Allow-if
.	373e8c50935502102504ff92f1891889	query_match	Allow-if

If any of the expected ACLs or security attributes are missing or incorrectly configured, contact ServiceNow support and reference:

ACL and Access Review

Review use of the public role in any ACLs.
- Remove the public role or apply the UserIsAuthenticated security attribute.
- Always test changes in non-production environments to avoid impacting functionality.
www.kudelskisecurity.com/threat-alert-center/
Inspect custom ACL logic on any new or non-standard tables or fields.
Evaluate data types excluded from automatic ACL changes. These include (not exhaustive): html, css, ip_address, date, glide_date_time, short_description, translated_html, etc.

If sensitive data resides in these fields, create custom query ACLs to protect them.

Support

Open a ServiceNow support case if issues are found during validation.
Refer to ServiceNow KB articles for detailed guidance (e.g., KB0695271 for managing public ACL roles).

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) will continue to monitor this issue closely and will issue an advisory update if any new risks, guidance, or changes are identified — including publication of the pending CVE.

We confirm that KudelskiSecurity ServiceNow instances were tested against this vulnerability last week. Following our recent upgrade, all instances are protected and aligned with ServiceNow’s updated security model.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.