Back to Intelligence

ServiceNow API Data Exposure: Unauthenticated Access Defense Guide

SA
Security Arsenal Team
June 9, 2026
6 min read

Introduction

ServiceNow has disclosed a significant security incident confirming that attackers successfully exploited an unauthenticated access flaw in a vulnerable API endpoint. This issue allowed unauthorized actors to query and potentially exfiltrate sensitive data from customer instances. For SOC analysts and defenders, this is a critical event. It highlights a systemic failure in API perimeter defense and access control configuration (ACL) management within SaaS environments. The window of exposure requires immediate forensic review of access logs and immediate hardening of instance configurations to prevent further data leakage.

Technical Analysis

Affected Platform: ServiceNow (Cloud-based SaaS platform)

Vulnerability Class: Broken Access Control / Insecure Direct Object Reference (IDOR) via API.

Attack Mechanics: Attackers leveraged a specific vulnerability in a ServiceNow API endpoint that did not correctly enforce authentication or authorization checks. By sending crafted HTTP requests (likely GET methods) to the vulnerable endpoint, the attacker could bypass identity and access management (IAM) controls.

  1. Reconnaissance: The attacker identifies the target instance (e.g., company.service-now.com).
  2. Exploitation: The attacker sends unauthenticated requests to the vulnerable API endpoint.
  3. Data Exfiltration: The endpoint returns queried data (table records, user info, or configuration data) in JSON or XML format without verifying a session token or API key.

Exploitation Status: Confirmed active exploitation. ServiceNow has acknowledged this is not theoretical; data has been accessed.

Detection & Response

Given the nature of SaaS logging, detection relies heavily on ingesting HTTP access logs (via Syslog or API connectors) into your SIEM. Defenders should look for anomalous volumes of API calls or successful 200 OK responses to endpoints that typically require authentication, originating from unknown IP ranges.

SIGMA Rules

The following rules target suspicious API access patterns often associated with unauthenticated data scraping or enumeration in ServiceNow environments.

YAML
---
title: ServiceNow Unauthenticated API Access Attempt
id: 8a4b2c19-7d3e-4f5a-9b1c-3d4e5f6a7b8c
status: experimental
description: Detects potential unauthenticated access to ServiceNow API endpoints characterized by GET requests to API tables without expected authentication headers or session IDs in the proxy logs.
references:
  - https://www.servicenow.com/support/security.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - attack.credential_access
logsource:
  category: proxy
  product: null
detection:
  selection:
    c-uri|contains: '/api/now/table/'
    c-method: 'GET'
  filter_legit:
    cs-user-agent|contains:
      - 'ServiceNow/
      - 'Integration-User'
  condition: selection and not filter_legit
falsepositives:
  - Misconfigured integration agents sending initial probes without tokens
level: high
---
title: ServiceNow High Volume Data Query via API
id: 9c5d3e20-8e4f-5g6b-0c2d-4e5f6g7h8i9j
status: experimental
description: Detects high-frequency queries to ServiceNow API endpoints indicative of data scraping or mass enumeration using a specific flaw.
references:
  - Internal Threat Research
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1020
logsource:
  category: webserver
  product: servicenow
detection:
  selection:
    sc-status: 200
    cs-uri-query|contains: 'sysparm_query='
  timeframe: 1m
  condition: selection | count() > 50
falsepositives:
  - Legitimate bulk reporting jobs running at high frequency
level: medium

KQL (Microsoft Sentinel)

Use these queries to hunt for signs of the exploitation in Syslog (ingested from ServiceNow) or CommonSecurityLog (Proxy).

KQL — Microsoft Sentinel / Defender
// Hunt for successful API queries to ServiceNow tables from non-corporate IPs
// Adjust the 'CorporateIPs' list to your environment
let CorporateIPs = dynamic(["10.0.0.0/8", "192.168.0.0/16", "YOUR_VPN_RANGE"]);
CommonSecurityLog
| where DeviceVendor in ("ServiceNow", "Imperva", "Akamai", "Cisco")
| where RequestURL contains "/api/now/table/"
| where RequestMethod == "GET"
| where StatusCode == 200
| where ipv4_is_in_range(SourceIP, CorporateIPs) == false
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, UserAgent, RequestMethod, StatusCode
| extend Tactic = "Potential Unauthenticated Access"


// Detect spikes in ServiceNow API errors or suspicious table accesses
Syslog
| where ProcessName contains "ServiceNow" or SyslogMessage contains "servicenow"
| parse SyslogMessage with * "GET " RequestURL " " *
| where RequestURL contains "/api/now/"
| summarize Count = count() by bin(TimeGenerated, 5m), RequestURL
| where Count > 100 // Threshold tuning required based on baseline
| project TimeGenerated, RequestURL, Count
| sort by Count desc

Velociraptor VQL

While ServiceNow is a SaaS platform, attackers often pivot to on-prem systems or use compromised workstations to interact with the API. This VQL artifact hunts for command-line tools commonly used to script API attacks.

VQL — Velociraptor
-- Hunt for processes making HTTP requests indicative of API interaction
-- Focuses on curl, python, or powershell interacting with ServiceNow domains
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('curl.exe', 'python.exe', 'python3.exe', 'powershell.exe', 'pwsh.exe')
  AND CommandLine =~ 'service-now.com'
  OR (CommandLine =~ 'api/now' AND CommandLine =~ 'sysparm_query')

Remediation Script (PowerShell)

This script allows defenders to verify if their specific ServiceNow instances are accepting unauthenticated requests to known vulnerable endpoints. Note: This requires connectivity to the ServiceNow instance.

PowerShell
# ServiceNow API Hardening Verification Script
# Tests if the instance returns data without Authorization headers

param(
    [Parameter(Mandatory=$true)]
    [string]$InstanceUrl, # e.g., "https://companyname.service-now.com"
    [string]$TestTable = "incident",
    [string]$SysParamLimit = "1"
)

$ErrorActionPreference = "Stop"

Write-Host "[*] Testing connectivity to $InstanceUrl..."

# Construct the API URL
$apiEndpoint = "$InstanceUrl/api/now/table/$TestTable?sysparm_limit=$SysParamLimit"

try {
    # Attempt 1: Unauthenticated Request (Simulate the vulnerability check)
    Write-Host "[+] Attempting unauthenticated request to $apiEndpoint..." -ForegroundColor Yellow
    $responseUnauth = Invoke-WebRequest -Uri $apiEndpoint -Method GET -UseBasicParsing -TimeoutSec 10

    if ($responseUnauth.StatusCode -eq 200) {
        Write-Host "[CRITICAL] Unauthenticated access successful! Instance may be vulnerable." -ForegroundColor Red
        Write-Host "Response Content (First 200 chars): $($responseUnauth.Content.Substring(0, [Math]::Min(200, $responseUnauth.Content.Length)))"
    }
}
catch {
    if ($_.Exception.Response.StatusCode -eq 401) {
        Write-Host "[SAFE] Unauthenticated request returned 401 Unauthorized. Access is properly restricted." -ForegroundColor Green
    } elseif ($_.Exception.Response.StatusCode -eq 403) {
        Write-Host "[SAFE] Unauthenticated request returned 403 Forbidden. Access is properly restricted." -ForegroundColor Green
    } else {
        Write-Host "[WARNING] Unexpected error during unauthenticated check: $($_.Exception.Message)" -ForegroundColor Cyan
    }
}

# Attempt 2: Authenticated Check (Optional, if credentials provided to verify service health)
# Note: This requires valid Basic Auth credentials

Remediation

Immediate action is required to secure ServiceNow instances against this unauthenticated access flaw:

  1. Review and Update ACLs: Access Control Lists (ACLs) are the primary defense in ServiceNow. Administrators must audit ACLs for the specific API endpoints (tables) identified as vulnerable. Ensure the snc_rest role or similar internal roles do not have broad read access granted to public or unauthenticated users.
  2. Check "REST API" Properties: Navigate to System Properties > REST API. Ensure that properties enforcing authentication are strictly enabled (e.g., glide.rest.security.require_csrf or equivalent security hardening properties released in recent patches).
  3. Apply Vendor Patches: ServiceNow has likely released or will release an emergency patch or security update. Review the official ServiceNow Trust Center advisories and apply the relevant patch upgrades (e.g., Patch Set releases for Vancouver, Washington, or other instances) immediately.
  4. Audit Access Logs: Review syslog or sys_audit tables for API usage patterns. Look for operation='query' entries where the user field is empty or set to an anonymous guest account.
  5. Enable Advanced Security Headers: Ensure Content-Security-Policy and Strict-Transport-Security are enforced, and validate that CORS settings do not allow arbitrary origins to interact with the API.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringservicenowapi-securitydata-exposureiac

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action