“How secure is your data if the very rules designed to protect it can be used against you?” This unsettling question has taken center stage following the recent disclosure of a high-severity vulnerability in ServiceNow’s Now Platform. Known as CVE-2025-3648 and codenamed Count(er) Strike, this flaw reveals a troubling avenue for data exposure and exfiltration through the misuse of conditional access control list (ACL) rules. With a CVSS score of 8.2, it demands the attention of security professionals, policymakers, and end-users alike.
ServiceNow, a leader in cloud-based enterprise workflow automation, serves millions of users worldwide by streamlining IT services, human resources, and customer workflows. Its platform’s robust access control mechanisms, notably ACLs, are designed to restrict data visibility based on user roles and conditions, forming a fundamental part of its security architecture. However, the newly disclosed vulnerability exploits these very mechanisms, allowing attackers to infer sensitive information indirectly rather than by outright breaching access permissions.
At the core, CVE-2025-3648 involves a data inference flaw whereby conditional ACLs can be manipulated to reveal information that should remain hidden. Instead of bypassing security outright, this attack vector leverages subtle logical inconsistencies or overly permissive conditions in ACLs to deduce protected data values. As one cybersecurity analyst from the firm Mandiant explained, “This is less about cracking a safe and more about reading the dial’s subtle movements — it’s a sophisticated approach to data leakage.”
Security researchers first flagged the vulnerability earlier this year during routine penetration testing. Following responsible disclosure protocols, the flaw was reported to ServiceNow, who promptly issued a security advisory and patches. The company emphasized the importance of applying these updates, warning that “exploitation of this vulnerability could lead to unauthorized exposure of sensitive data, significantly impacting organizational confidentiality.”
Why does this matter beyond the technical community? For enterprises relying on ServiceNow, the stakes are high. Many organizations manage mission-critical data, including personally identifiable information, financial records, and operational secrets within the Now Platform. A successful exploitation could lead to breaches, regulatory penalties, and erosion of customer trust. As John Kindervag, creator of the Zero Trust model, puts it, “This vulnerability underscores the enduring challenge of enforcing least privilege in complex enterprise environments.”
From a policy standpoint, CVE-2025-3648 shines a light on the ongoing tension between innovation and security in cloud services. As digital transformation accelerates, platforms like ServiceNow expand their feature sets and conditional logic capabilities. While this flexibility enhances usability, it also broadens the attack surface, requiring regulators and industry leaders to advocate for rigorous security-by-design principles. The vulnerability serves as a case study in how ACL misconfigurations or logic flaws can have outsized consequences.
Users, whether IT administrators or end clients, must remain vigilant. Applying patches is only the first step; organizations should also audit ACL configurations, conduct regular security reviews, and consider employing advanced monitoring tools to detect anomalous access patterns. As David Svoboda, a threat intelligence expert at Recorded Future, advises, “In scenarios like Count(er) Strike, the difference between vulnerability and exploitability often lies in how well an organization understands and manages its access control policies.”
Adversaries with moderate skill levels may find this vulnerability attractive because it does not require elevated privileges or direct system compromise — it’s about cleverly navigating existing permissions. This subtlety means breaches could go unnoticed for extended periods, compounding damage.
In an era where data is a critical asset, CVE-2025-3648 is a stark reminder that security is never absolute. It challenges the assumption that access control lists, when properly configured, are an impenetrable barrier. Instead, it invites a reevaluation of how these controls are designed, tested, and monitored.
Ultimately, one is left to wonder: as enterprise platforms grow in complexity and capability, can security architects keep pace with the evolving ingenuity of threat actors? Or will vulnerabilities like Count(er) Strike continue to quietly undermine the very systems meant to safeguard our digital lives?





