ServiceNow Widget Misconfiguration Exposes Sensitive Data to Unauthenticated Access
Finland’s National Cyber Security Centre warned that an insecure default configuration in the ServiceNow platform can expose sensitive data, and said it has received multiple reports of attacks exploiting the issue. The problem affects portal widgets used to build forms, lists, and tables, particularly the Simple List widget, which can be publicly accessible without role restrictions by default. In affected deployments, an unauthenticated attacker may query the widget’s server-side script through the API and retrieve database contents in JSON format.
The exposed information can include system details, personal data, and confidential business information, depending on how each organization has configured ServiceNow. ServiceNow had also acknowledged that incorrect platform configurations could lead to sensitive information leakage. Authorities urged organizations using the platform to review widget settings and ACL configurations, inspect logs for signs of exploitation, and strengthen access controls with measures such as IP-based restrictions, adaptive authentication, and ServiceNow’s Explicit Roles add-on.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Finnish NCSC issues public alert and mitigation guidance
On 2023-11-01, the Finnish NCSC published an alert describing the insecure default configuration risk in ServiceNow portal widgets and warning organizations to review widget and ACL settings. It also advised checking logs for exploitation and considering stronger access controls such as IP restrictions, adaptive authentication, and ServiceNow Explicit Roles.
Finnish NCSC receives reports of exploitation against ServiceNow instances
Finland’s National Cyber Security Centre reported receiving multiple notifications of attacks exploiting the ServiceNow misconfiguration issue. The flaw allowed unauthenticated querying of widget server-side scripts through the API, potentially exposing database contents such as system information, personal data, and business secrets.
ServiceNow warns of sensitive data exposure from widget misconfiguration
About a week before 2023-11-03, ServiceNow stated on its support site that incorrect platform configurations in portal widgets could allow sensitive information to leak. The issue was tied to insecure default widget settings, including cases where public access and missing role restrictions exposed data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Kyberturvallisuuskeskuksen viikkokatsaus - 44/2023 | Traficom
kyberturvallisuuskeskus.fi
Open sourceVirheellinen oletuskonfiguraatio ServiceNow -alustalla mahdollistaa tietovuodon | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ServiceNow API flaw let attackers access customer instance data
ServiceNow disclosed a security incident after attackers exploited an unauthenticated access flaw in the Scripted REST endpoint ` /api/now/related_list_edit/create ` to query data from multiple customer instances. The company said it detected anomalous activity tied to IP address `51.159.98.241`, with suspicious access occurring on June 2 and 3, and confirmed successful exploitation. The issue appears to stem from a misconfigured resource with `requires_authentication=false`, causing requests to be processed as the Guest user; access-control enforcement may also have varied by tenant. Affected environments were reported to include customers on the Australia platform release and some older releases with specific configuration changes.
Jun 17, 2026
Critical ServiceNow RCE Flaws Hit Core and AI Platform Deployments
ServiceNow customers were urged to patch multiple **critical remote code execution** vulnerabilities after reports that flaws in the platform were being **actively exploited**. One set of bugs affected core ServiceNow deployments and was serious enough to trigger immediate warnings from security researchers and industry media, highlighting the risk of unauthenticated or low-friction compromise in widely used enterprise workflow environments. A separate report later identified another **critical RCE vulnerability** in the **ServiceNow AI Platform**, expanding concern from the core platform to newer AI-enabled components. Together, the disclosures indicate that attackers have had viable paths to execute code against ServiceNow environments across both traditional and AI-related services, raising the stakes for organizations that use the platform for IT, HR, security, and business process automation.
May 25, 2026
Unauthenticated RCE in ServiceNow AI Platform Sandbox (CVE-2026-0542)
ServiceNow patched a **critical unauthenticated remote code execution (RCE)** vulnerability in the *ServiceNow AI Platform* tracked as **CVE-2026-0542**. The flaw can allow an unauthenticated attacker, under certain conditions, to execute code within the **ServiceNow Sandbox**—a restricted environment intended to isolate untrusted code—creating risk of broader instance compromise, including potential data theft and workflow manipulation. Public technical details were limited, but the issue was characterized as remotely reachable (typically over HTTPS) and high impact, with reporting citing **critical severity (CVSS 9.8)**. ServiceNow’s advisory (**KB2693566**) states the company deployed security updates to affected **hosted customer instances** and also made updates available to **self-hosted customers and partners** via patches/hotfixes. As of the advisory information reflected in CVE tracking, ServiceNow reported it was **not aware of active exploitation against customer instances**, but recommended customers apply the relevant updates or upgrade promptly to mitigate the risk from an unauthenticated RCE path into the sandboxed execution environment.
Mar 21, 2026