Hackers are ramping up their attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances, security researchers warned this week.

Threat intelligence startup GreyNoise said in a blog post on Tuesday that it had observed a “notable resurgence of in-the-wild activity” targeting the three ServiceNow vulnerabilities, tracked as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

The vulnerabilities were first disclosed by researchers at Assetnote on May 14, 2024 and patched by ServiceNow on the same day, ServiceNow spokesperson Erica Faltous told TechCrunch. Details of the bugs were publicly disclosed later in July 2024.

GreyNoise said that all three flaws have seen a resurgence in targeted exploitation attempts in the past week. It’s not known exactly who is behind this latest wave of targeting, but GreyNoise said that 70% of the malicious activity it observed in the past week targeted systems based in Israel, with activity also seen in Germany, Japan, and Lithuania. 

As first noted by Assetnote last year, GreyNoise also confirms that the vulnerabilities can be chained together for “full database access” of affected ServiceNow instances. Organizations often use the ServiceNow platform to host sensitive data about their employees, including their personally identifiable information and HR records related to their employment. 

ServiceNow told TechCrunch that the company first learned of the vulnerabilities “nearly a year ago,” and, “to date, we have not observed any customer impact from an attack campaign.”

Following Assetnote’s disclosure of the flaws last year, U.S. security firm Resecurity warned that foreign threat actors had attempted to exploit the three ServiceNow vulnerabilities to target both private sector companies and government agencies around the world. 

Techcrunch event

Save $200+ on your TechCrunch All Stage pass

Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.

Save $200+ on your TechCrunch All Stage pass

Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.

Boston, MA

|

July 15

REGISTER NOW

Resecurity said it saw targeted attempts at an energy company, a data center organization, a Middle Eastern government agency, and a software developer.

Cybersecurity company Imperva released another report in July 2024 warning that it had also observed exploitation attempts across 6,000 sites across various industries, with a focus on the financial services sector.

Amended the third paragraph to note that ServiceNow issued a fix on the same day as Assetnote’s disclosure.