API Security, Configuration Drift, Broken Object Level Authentication, Information Disclosure, Australia Platform Release
Source Material: ServiceNow | CSOnline | Cybernews | Technology: ServiceNow Now Platform | Targeted Industries: Global Enterprises, Financial Services, Healthcare, Government, Managed Service Providers (MSPs)
Executive Summary
In early June 2026, ServiceNow disclosed a high-severity security incident involving active, unauthenticated exploitation of its Scripted REST API endpoint /api/now/related_list_edit/create. This vulnerability affects customers running the newly launched Australia platform release alongside select legacy configurations. It allows unauthenticated remote actors to query highly sensitive tenant databases without credentials. Anomalous sweeps and data-harvesting activities targeted this endpoint between June 2 and June 3, 2026, primarily originating from the IP address 51.159.98[.]241.
The technical root cause stems from a configuration defect. The endpoint’s security flag, requires_authentication, was set to false by default. Consequently, all unauthenticated HTTP requests executed under the unprivileged Guest user context. During the exploitation window, attackers attempted to leverage this access to write to the sys_group_has_role table. Threat intelligence analysts assess that these attempts aimed to append highly privileged administrative roles to default or demo group structures containing known system IDs (sys_id) to establish persistent backdoors within compromised tenants.
ServiceNow applied an emergency hotfix to hosted instances on June 5, 2026. However, public disclosure of support bulletin KB3067321 was delayed until June 9, 2026, and placed behind a gated login portal. On June 10, 2026, ServiceNow silently deployed a secondary update to protect against a variant of this issue affecting two additional endpoints, indicating an active threat surface. Community reports suggest ServiceNow was internally aware of the initial vulnerability as early as April 7, 2026, but delayed patching in favor of a future Q4 platform release.
Organizations utilizing ServiceNow must review security logs retrospectively and audit all custom Scripted REST API resources. Because ServiceNow serves as a central repository for IT tickets, asset inventories, credentials, and security incidents, immediate mitigation is necessary to prevent downstream credential stuffing and lateral network movement.
Threat Overview and Strategic Impact
The vulnerability resides in the core platform code of the ServiceNow Now Platform Australia release (General Availability May 5, 2026) and older versions (Xanadu, Yokohama, Zurich) that underwent custom API authentication configurations. The Scripted REST Resource /api/now/related_list_edit/create bypassed security verification because the requires_authentication parameter was set to false. This enabled unauthenticated HTTP requests to execute query logic against tenant tables. During the active sweep window on June 2–3, 2026, attackers systematically attempted to modify the sys_group_has_role table, aiming to bind high-privilege roles to default user groups. A secondary variant discovered on June 10, 2026, forced ServiceNow to patch two additional endpoints, demonstrating that the initial configuration failure was not isolated.
The strategic impact of this configuration defect exposes organizations to severe downstream risks. Under NIST SP 800-161, ServiceNow constitutes a Tier 1 supply chain risk. While the vendor manages the infrastructure code, tenants bear the ultimate operational and regulatory consequences. Exposed repositories commonly house sensitive corporate intelligence, including IT tickets, internal documentation, asset configurations, and credentials or API tokens embedded in support workflows.
For organizations utilizing external Managed Service Providers (MSPs), the risk is compounded; a breach of a single shared instance could expose interconnected partner directories. The gated nature of support bulletin KB3067321—disclosed four days after emergency patching—disrupted regulatory compliance timelines under GDPR, SEC, and HIPAA. Legal teams could not trigger necessary breach-notification clocks in a timely manner due to the lack of early, transparent telemetry.
Table 1: Profile of Key ServiceNow Platform Vulnerabilities (2024–2026)
| Vulnerability / Incident | Affected Components | Vulnerability Type | Exploit Behavior & Corporate Impact |
| CVE-2024-4879 / CVE-2024-5217 | Now Platform (Vancouver, Washington D.C.) | Remote Code Execution (RCE) via Input Validation Bypass | Unauthenticated remote code execution, database exfiltration, credential harvesting, and active dark web forum target recruitment.13 |
| CVE-2025-12420 (“BodySnatcher”) | Now Assist AI Agents, Virtual Agent API | Authentication Bypass & Privilege Escalation | Unauthenticated impersonation of privileged users to drive agentic workflows and establish backdoor admin roles. |
| KB3067321 (June 2026) | /api/now/related_list_edit/create (Australia & select custom configs) | Broken Object Level Authentication (BOLA) | Unauthenticated queries under the Guest context; automated sweeps targeting the sys_group_has_role table.1 |
| June 10, 2026 Variant | Two additional unauthenticated Scripted REST endpoints | Scripted REST API Misconfiguration | Variant of the initial unauthenticated access flaw, requiring an emergency maintenance deployment. |
Table 2: Chronology of the June 2026 Incident (KB3067321)
| Date | Phase | Event Description |
| April 7, 2026 | Internal Logging | ServiceNow documents the unauthenticated API endpoint issue internally; the flaw is categorized as non-urgent, with remediation deferred to the Q4 “Brazil” release. |
| April 22, 2026 | Vulnerability Reporting | ServiceNow receives a confidential bug bounty submission describing unauthenticated API access. |
| June 2–3, 2026 | Active Exploitation | Threat actors (or scanning entities) execute automated sweeps targeting /api/now/related_list_edit/create from IP address 51.159.98[.]241, querying sensitive tables. |
| June 3-4, 2026 | Customer Escalation | Multiple customers submit bug bounty findings matching the April 22 report. |
| June 5, 2026 | Silent Remediation | ServiceNow quietly deploys an emergency security update to hosted customer instances, setting requires_authentication=true on the vulnerable endpoint. |
| June 7, 2026 | External Research | Two independent security researchers submit a formal bug bounty report validating the unauthenticated API flaw. |
| June 9, 2026 | Gated Disclosure | ServiceNow publishes support bulletin KB3067321 behind a gated login portal, notifying affected organizations through direct support cases. |
| June 10, 2026 | Secondary Remediation | ServiceNow applies an additional emergency update to hosted instances to protect against a variant of the flaw affecting two more endpoints. |
Security Hardening and Recommendations
Organizations must execute the following hardening protocols immediately to contain residual risk:
- Confirm Patch Status: Validate with ServiceNow support that the June 5 emergency patch is active on all hosted environments. Manually apply the update to any self-hosted, on-premises, or custom-configured tenants.
- Apply Variant Updates: Verify that the June 10 maintenance update protecting the two secondary unauthenticated Scripted REST endpoints has been fully deployed across all instances.
- Audit Custom REST Operations: Inspect the Scripted REST API table (sys_ws_operation). Ensure that the Requires Authentication setting is explicitly checked for all custom, legacy, or third-party endpoints.
- Review Access Controls: Validate Access Control List (ACL) configurations. Because authentication settings and ACL enforcement operate independently within ServiceNow Scripted REST Resources, both must be secured to maintain a strict zero-trust state.
- Rotate Exposed Secrets: Rotate all credentials, API tokens, temporary passwords, and webhook secrets shared or documented in IT support tickets, case records, or active workflows. These repositories were heavily targeted during the June 2–3 exploitation window.
Detection Strategy
Defenders must execute a retrospective and continuous monitoring strategy to identify potential compromise:
- Log Analysis: Review ServiceNow transaction and node logs, specifically focusing on the active sweep window of June 2–3, 2026. Search for queries targeting /api/now/related_list_edit/create or the secondary endpoints patched on June 10.
- Context Verification: Audit logs for requests executed under the Guest user context. Unauthenticated exploitation routes under this default context to bypass identity checks.
- Network Telemetry: Monitor for traffic originating from the known malicious IP address 51.159.98[.]241.
- Log Visibility Audit: Confirm whether REST message logging was enabled prior to the incident. If logging was disabled, transaction bodies or response payloads will not be visible; document this visibility gap for risk planning.
- SIEM Integration: Ingest transaction logs into your SIEM platform and configure real-time alerts for unauthenticated related_list_edit transactions.
- Database Integrity Checks: Inspect the sys_group_has_role table for unauthorized modifications, focusing on administrative roles added to default groups or demo accounts.
How Deepwatch Protects Our Customers
Deepwatch protects customer environments through continuous monitoring and automated detection engineering. The Deepwatch Security Operations Center (SOC) utilizes specialized SIEM correlation rules to analyze ingested ServiceNow transaction and node logs, alerting analysts to any anomalous queries directed toward /api/now/related_list_edit/create or related unauthenticated endpoints. Deepwatch monitors for requests executing under the Guest user context and blocks traffic from the known malicious IP address 51.159.98[.]241.
Our threat intelligence analysts proactively audit customer Scripted REST API resources (sys_ws_operation) to identify endpoints where the requires_authentication parameter remains unset or misconfigured. Deepwatch threat hunters also conduct retrospective reviews of database modifications, seeking unauthorized role changes on the sys_group_has_role table. We continuously track dark web marketplaces and criminal repositories to detect if customer credentials, IT support tickets, or configuration details are leaked, ensuring rapid containment of downstream exploitation attempts.
Relevant Detections
- Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- IP Address: 51.159.98[.]241
- URI Path: /api/now/related_list_edit/create
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- Unknown at this time.
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of unauthenticated REST API endpoint /api/now/related_list_edit/create. |
| Defense Evasion | Use Alternative Authentication Material | T1556 | Requests routed through the Guest user account, blending with legitimate guest traffic. |
| Persistence | Create or Modify System Process | T1543 | Attempts to write backdoor administrative permissions directly to the sys_group_has_role table. |
| Credential Access | Unsecured Credentials | T1552 | Search and exfiltration of credentials and tokens stored in support tickets and workflows. |
Vulnerabilities:
- None identified (ServiceNow is currently evaluating whether to assign or publish a CVE for this configuration issue, tracked under ServiceNow KB3067321).
Malware/Tool:
- Unknown (Standard HTTP requests utilized to exploit the misconfigured API endpoint; no advanced malware or execution tools identified).
Additional Sources
- ServiceNow Support Portal
- CSO Online Article on ServiceNow Fixes
- Cybernews Data Breach Confirmation
- The Cyber Express Flaw Exploitation Coverage
- SOCRadar Blog on ServiceNow Breach
- TechTimes Gated Advisory Disrupted Notification Windows
Share