ServiceNow’s platform discloses high-strength security flaws, which, if exploited successfully, could lead to data exposure and removal.
The vulnerability tracked as CVE-2025-3648 (CVSS score: 8.2) is described as a case of data inference on current platforms through conditional access control list (ACL) rules. There was a codename (ER) strike.
“Vulnerabilities are currently being identified on the platform, and data may be inferred without authorization,” ServiceNow said in a breaking news report. “Under a specific Conditional Access Control List (ACL) configuration, the vulnerability allows ruthless, authenticated users to infer instance data that is inaccessible using range query requests.”
The cybersecurity company Varonis, which discovered and reported the flaw in February 2024, said it could have been misused by a malicious actor to gain unauthorized access to sensitive information, including personally identifiable information (PII) and credentials.
At that core, the drawbacks affect the record count UI elements of the list page. This could be a minor abuse of inferring and publishing sensitive data from various tables within ServiceNow.
“This vulnerability could potentially impact all ServiceNow instances and affect hundreds of tables,” Varonis researcher Neta Armon said in an analysis Wednesday.
“In most cases, this vulnerability is relatively simple and requires minimal table access, such as weak user accounts within an instance or self-registered anonymous users, bypassing the need for high privileges and potentially leading to sensitive data exposure.”
Specifically, the company found that while being managed by an ACL configuration, it can be used to collect information using access to ServiceNow tables.
In these cases, the user will be prompted to include the count along with “number of lines removed from this list due to security constraints.” However, if access to a resource is blocked due to a “required role” or “security attribute condition,” the user will receive a blank page with the message “Security constraints prevent access to the requested page.”
It is worth mentioning that the four ACL conditions are evaluated in a specific order, starting with a role, followed by security attributes, data conditions, and finally script conditions. All these conditions must be met for users to access the resource. A state left empty is considered to be of no limitation of any kind.
The fact that the responses differ based on the four ACL conditions opens a new attack route that threat actors can take advantage of to determine which access conditions are not met, and repeatedly querising the database tables by enumerating the desired information using a combination of query parameters and filters. Tables that are protected only by data or scripting conditions are susceptible to inference attacks.
“As long as users on an instance have access to at least one misunderstood table, this vulnerability can be minimized and even unassigned users can take advantage of it,” Armon said. “This vulnerability applies to any table in an instance where the ACL rule has at least one ACL rule, where the first two conditions remain empty or excessively tolerant. This is a common situation.”
Worse, threat actors can use techniques such as dotwalking and self-registration to expand the explosion radius of the defect so that they can access additional data from referenced tables, create accounts, and access the instance without the need for prior approval from the administrator.
Depending on your findings, ServiceNow introduces new security mechanisms such as Query ACLS, Security Data Filters, and Deny ACLS to counter the risks posed by data inference blind query attacks. Although there is no evidence that this issue has been exploited in the wild, all ServiceNow customers are urged to apply the necessary guardrails to sensitive tables.
“ServiceNow customers should also note that query ACLS for the query range is set to default deny, so they should create an exclusion to maintain the ability to perform such actions,” Armon said.
DLL hijacking defect in Lenovo Trackpoint Quick Menu Software
This development has detailed the flaw in privilege escalation (CVE-2025-1729) in the trackpoint quick menu software (“TPQMASSISTANT.EXE”) found in Lenovo Computers, allowing local attackers to escalate privileges by hijacking the vulnerability.
This flaw is addressed in version 1.12.54.0 released on July 8, 2025, following responsible disclosure at the beginning of January this year.
“The directory housing ‘tpqmassistant.exe’ is easy for standard users to write letters, already a red flag,” said security researcher Oddber Moh. “Folder permissions allow the creator’s owner to write files, meaning local users can drop files to this location.”
“When a scheduled task (or the binary itself) is triggered, it tries to load “hostfxr.dll” from the working directory, but the name cannot be found.
As a result, an attacker can place a malicious version of “hostfxr.dll” in “c:\programdatallenovoltpqm\assistant” when the binary is started.
Microsoft addresses a bug in Kerberos Dos
Findings also follow the publication of the defect read out of the Netlogon Protocol (CVE-2025-47978, CVSS score: 6.5) for Windows Kerberos. The vulnerability was addressed by Microsoft as part of the patch for the Tuesday July 2025 update.
Silverfort, which assigned Notlogon to CVE-2025-47978, said it would allow “domain binding machines with minimal privileges to send specially created authentication requests that crash the domain controller and cause a full reboot.”
“This vulnerability does not require high privileges that require standard network access and weak machine accounts. In a typical enterprise environment, modest users can create such accounts by default.”
Cybersecurity companies also noted that the crash primarily affected the local security department’s subsystem services (LSASS). It says this is a critical security process for Windows, which is responsible for enforcing security policies and handling user authentication. Therefore, the successful exploitation of CVE-2025-47978 can destabilize or disrupt Active Directory services.
“Using only a valid machine account and crafted RPC messages allows an attacker to crash a domain controller remotely, a system responsible for core Active Directory functions, including authentication, authorization, group policy enforcement, and service ticket issue,” Segal said.
Source link
