CVE-2025-3648
BaseFortify
Publication date: 2025-07-08
Last updated on: 2025-07-08
Assigner: ServiceNow
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| servicenow | now_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1220 | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Now Platform allows unauthorized data inference under certain access control list (ACL) configurations. Both unauthenticated and authenticated users can exploit range query requests to infer data from the instance that they should not have access to.
How can this vulnerability impact me? :
The vulnerability could lead to unauthorized disclosure of sensitive data by allowing users to infer information they are not authorized to access. This can compromise data confidentiality and potentially expose sensitive or private information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, customers should review and enhance their access control list (ACL) configurations by implementing the additional access control frameworks introduced by ServiceNow in the Xanadu and Yokohama releases, such as Query ACLs, Security Data Filters, and Deny-Unless ACLs. Additionally, customers should apply the security update delivered in May 2025 designed to enhance ACL configurations. For further guidance, customers should consult the provided ServiceNow knowledge base articles.