The ServiceNow Knowledge Base (KB) leak exposed sensitive corporate data from over 1,000 instances of the platform, largely due to misconfigured access controls. These KBs, used to store critical corporate data like PII, system credentials, and internal processes, were inadvertently exposed, giving unauthorized users access via public widgets. This widespread misconfiguration highlights ongoing issues with securing SaaS platforms and reinforces the need for stronger access controls and proper configuration management to prevent future breaches.
Over 1,000 individual ServiceNow instances were found to have unintentionally exposed Knowledge Base articles, allowing unauthorized users to access sensitive information. These articles, designed to store internal documentation such as login procedures, HR processes, and system credentials, were left open to public access due to a combination of misconfigured ACLs and ineffective User Criteria settings. The exposure was discovered through extensive research and testing by AppOmni, who identified flaws in the way KB access controls were applied.
The exposure’s root cause lies in how Access Control Lists (ACLs) and User Criteria are applied to ServiceNow’s KB articles. The UserIsAuthenticated attribute, which ensures that only verified users can access internal resources, was not applied to KB articles by default. This allowed public widgets to access KB content without authentication, making them vulnerable to unauthorized access.
There are two key reasons why this misconfiguration persisted:
AppOmni’s research demonstrated how unauthenticated actors could exploit the vulnerability through a proof-of-concept (PoC) attack. Attackers could leverage Burp Suite to brute-force the incremental KB article IDs (formatted as KBXXXXXXX) and retrieve article content. This method allowed attackers to exfiltrate sensitive data such as:
This rapid data retrieval method allowed attackers to target multiple ServiceNow instances simultaneously, increasing the potential scale of the breach.
The leak impacted over 1,000 organizations using ServiceNow, spanning healthcare, finance, government, and technology industries. Many of these companies rely on third-party vendors to manage their ServiceNow configurations, further complicating the security landscape. Organizations with multiple ServiceNow instances were particularly vulnerable, as misconfigurations in one instance were often cloned to others, multiplying the risk.
In some cases, the exposed data included personally identifiable information (PII), login credentials, and even access tokens for live systems. Such sensitive data being exposed can lead to both immediate attacks and long-term exploitation.
The vulnerability was first discovered in April 2023 and continued to affect ServiceNow instances into September 2024. The exposure persisted despite ServiceNow’s efforts to update security configurations in 2023, as these updates did not fully address the KB article exposure problem.
Organizations can take several measures to mitigate the risk and protect their KB articles from unauthorized access:
In response to this issue, ServiceNow started proactively contacting customers to guide them on securing their KBs. The company also began enforcing tighter configurations for KB articles starting in September 2024
The participation of third-party vendors is a key element in the ServiceNow data breach. Numerous businesses depend on outside contractors to oversee their ServiceNow systems, highlighting the importance of these third-party entities adhering to strict security protocols. Despite ServiceNow offering strong tools and controls, leaks often occur due to third-party management failures.
Companies should pay careful attention to their third-party vendors for a reason.
Third-party vendors responsible for handling platforms such as ServiceNow may not consistently follow the required security settings. This event underscores the dangers of incorrect implementation of Access Control Lists (ACLs) and user criteria, leading to the exposure of sensitive Knowledge Base (KB) articles.
TPRM is vital for companies to have a robust framework in place for regularly auditing vendors and ensuring they adhere to security best practices. In the absence of this monitoring, a minor misconfiguration could result in significant data breaches.
While third-party vendors manage the daily tasks of platforms such as ServiceNow, it is the company that holds the final accountability for the security of data. It is important for them to make sure that vendors are applying security patches, reviewing access controls, and addressing vulnerabilities quickly.
By enhancing supervision of third parties and implementing rigorous security measures, companies can enhance the safeguarding of their systems and data from comparable incidents.
The ServiceNow Knowledge Base exposure serves as a stark reminder of the importance of rigorous access controls and the dangers of misconfigurations in cloud-based platforms. Organizations must regularly audit their systems, apply stronger authentication methods, and ensure that both ACLs and User Criteria are properly configured to protect sensitive data. By taking these precautions, businesses can safeguard their internal knowledge and reduce the risk of data breaches.
For more details on the vulnerability and its implications, read AppOmni’s research here.