Emerging ThreatsData Breaches

ServiceNow Security Incident Exposes Customer Data via API Flaw

Analyst 207||Source: BleepingComputer
Rows of computer servers and networking equipment in a brightly-lit data center.

"On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company's support bulletin states — an understated line that belies a broader intrusion that allowed attackers to query customer instance tables through an unauthenticated API flaw.

ServiceNow support bulletin and the June 5 update

ServiceNow quietly notified impacted customers via a support bulletin hidden behind its support-login portal and through direct support cases after detecting "anomalous activity" tied to the flaw. The bulletin says the update "concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended." According to the company, the security update changes API endpoint configuration to limit access to authenticated users only. ServiceNow also confirmed attackers exploited the flaw to successfully query customer instance tables and says it is still evaluating whether to publish a CVE for the issue.

The vulnerable REST endpoint: /api/now/related_list_edit/create

ServiceNow has not published technical specifics, but administrators discussing the incident on Reddit tied the activity to a REST endpoint at "/api/now/related_list_edit/create." One commenter said the endpoint was configured with "requires_authentication=false," potentially permitting unauthenticated requests to access instance data; the June 5 update was reported to set requires_authentication to true. While these details come from administrator discussion rather than the vendor bulletin, they align with ServiceNow's explanation that the update altered API endpoint authentication behavior.

Indicators of compromise and observed attacker behavior

Numerous administrators shared indicators of compromise (IoCs) including API requests originating from the IP address 51.159.98.241 and advised colleagues to review logs for calls to the related_list_edit endpoint. ServiceNow has opened support cases with customers it believes are affected; the company told customers that if they have not received a support case, they are not believed to be affected by the incident. BleepingComputer contacted ServiceNow to ask how long the activity had been ongoing, what caused the issue, and whether customer data had been stolen, but did not receive a response before publication.

Customer data potentially exposed

ServiceNow did not disclose exactly which records were accessed. The bulletin, however, notes that instances commonly store sensitive enterprise information, and the report lists examples: IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services. The advisory also points out that support-case information is an increasingly attractive target for threat actors because tickets may contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.

What this means for technologists, affected enterprises, and security teams

  • Technologists and security teams: Review ServiceNow logs for requests to /api/now/related_list_edit and for traffic from 51.159.98.241; ensure API logging is enabled and rotate credentials or tokens that may have been shared through support workflows.
  • Affected enterprises and procurement leaders: Confirm whether ServiceNow has opened a support case for your instance; if so, review exposed tickets and records for sensitive information and follow guidance to remediate configuration changes, particularly if your instances run the Australia platform release or are on older releases with specific configuration changes.
  • Security operations and incident responders: Treat support tickets as potential vectors for credential exposure — examine ticket contents for embedded secrets and evidence of exfiltration, and apply the vendor-supplied update where it has not yet been applied.

ServiceNow's public silence on technical detail and the extent of data accessed leaves a narrow but actionable path for defenders: verify whether the vendor applied the June 5 update to your instance, search logs for the related_list_edit endpoint and the flagged IP address, and assume any credentials or tokens transmitted in support workflows may need rotation. The company has begun opening support cases for customers it believes are affected and is still determining whether to issue a CVE — steps that will be watched closely by administrators scrambling to understand their exposure.

Read the original BleepingComputer reporting here: https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/

Cloud SecurityData ExposureEmerging ThreatsAPI FlawServicenowCustomer Data BreachUnauthenticated API
Related Intelligence

Continue Reading

Technicians check network equipment and cables in a brightly-lit operations room with a prominent router on a rack.

Cisco SD-WANs Hit by Seventh Zero-Day Exploit This Year

Cisco SD-WANs have been hit by a seventh zero-day exploit this year, with the latest vulnerability, CVE-2026-20245, already being actively exploited by attackers. A security patch is currently in the works, but no workaround is available to mitigate the issue in the meantime.

Analyst 207
Programmers work at desks in an open-plan office, some looking concerned at their computer screens.

Miasma Worm Spreads as Open-Source Toolkit Compromises GitHub Repos

A newly discovered open-source toolkit, known as Miasma Worm, is wreaking havoc on GitHub repositories, allowing attackers to execute a range of malicious activities via stolen credentials. This powerful supply chain attack toolkit can compromise multiple platforms, including PyPI, npm, and RubyGems, and even spread through AI coding tools and SSH-based lateral movement.

Analyst 207
GitHub repository page on a laptop screen in a bright, cluttered office workspace.

Microsoft Probes Miasma Campaign as GitHub Repos Remain Offline

Microsoft swiftly took action to safeguard its customers and the broader ecosystem by temporarily removing some GitHub repositories while investigating a software supply chain intrusion. The company has since restored some, but others remain offline as the probe continues.

Analyst 207
A modern office interior with a laptop and papers, conveying a tech workspace ambiance.

GitHub Disrupts Microsoft Repos Hosting Password-Stealing Malware

In a lightning-fast response, GitHub and Microsoft swiftly contained a malware incident on June 5, removing 73 repositories and restoring disrupted developer workflows in a mere 105 seconds. The quick takedown prevented password-stealing malware from causing further harm, showcasing the companies' commitment to protecting their platforms.

Analyst 207