Over 1,000 ServiceNow instances have been discovered to be leaking sensitive corporate Knowledge Base (KB) data, revealing a major security flaw that exposes critical information to potential threats. According to a report by cybersecurity firm AppOmni, these misconfigured instances have inadvertently made a range of sensitive data, including personally identifiable information (PII), internal system details, user credentials, and access tokens, accessible to unauthorized users. This vulnerability affects ServiceNow’s cloud-based platform, which is widely used by organizations for managing IT services, HR tasks, customer service, and internal knowledge sharing.
The issue arises from the use of outdated access controls that fail to adequately secure KB articles. Despite ServiceNow’s 2023 update designed to enhance Access Control Lists (ACLs) and prevent unauthorized access, many KBs still utilize a less secure “User Criteria” permission system. This oversight has left numerous public-facing widgets unprotected, allowing attackers to access sensitive data without requiring authentication. The exposed information can be exploited through brute-force techniques, where attackers systematically guess KB article IDs to retrieve confidential content.
AppOmni’s investigation highlights the critical need for organizations to review and update their ServiceNow security configurations. The firm’s report reveals that malicious actors can leverage tools like Burp Suite to automate attacks, retrieving and exploiting KB articles that should have been restricted. This situation underscores the importance of implementing robust access controls and regularly auditing configurations to prevent such vulnerabilities from being exploited.
To mitigate these risks, AppOmni advises ServiceNow administrators to ensure that KB articles are protected by appropriate user criteria settings. Administrators should avoid configurations that allow broad access, such as “Any User” or “Guest User,” and instead enforce stricter access controls. Additionally, it is recommended to activate ServiceNow’s out-of-the-box rules that automatically restrict guest users from accessing newly created KBs until explicit access is granted. By taking these steps, organizations can better safeguard their sensitive information and reduce the risk of data breaches.
