ServiceNow patched – ServiceNow says it patched a bug on June 5 that could let unauthenticated users access data stored in some customer instances. The knowledge base article was hidden behind a login wall before being shared publicly, and questions remain about who gained access,
The moment ServiceNow’s June 5 patch landed, the company’s customers were left with a more uncomfortable question than usual: what if their instance was reachable from the open internet, without a password?
ServiceNow appears to have notified some enterprise customers that a software bug on its platform was exposing data to anyone on the internet. A knowledge base article describing the issue—kept behind a login wall by ServiceNow but shared later on Reddit—states that the company patched certain customer instances to fix a bug that allowed unauthenticated users to “gain greater access” to ServiceNow-hosted data than intended.
The bug, according to the article, made it possible for potentially anyone to obtain data stored in customer instances without requiring credentials, such as a password.
What that means in practice is exactly what still isn’t clear. It’s not known who. if anyone. actually accessed the data. what specific information was exposed. or whether any third party was involved. Because the problem stems from a data-exposing bug. it’s also unclear whether customers could have protected themselves using their own settings.
ServiceNow, a major cloud technology company used by thousands of enterprises, lets customers automate internal business processes. Businesses build workflows on the platform that connect to systems including IT and HR databases. then use those workflows for recurring tasks like onboarding staff. resolving tech support tickets. and powering chatbots.
That also makes ServiceNow an attractive target. The platform can hold sensitive information, including customer support tickets that may contain passwords, keys, and credentials.
ServiceNow said the issue relates to Australian customer instances. But on Reddit, people who say they are not located in Australia reported identifying evidence of external access to their ServiceNow instances.
Network defenders shared an IP address, 51.159.98.241, described as an indicator of potential compromise if it appears in a customer’s logs.
A ServiceNow spokesperson did not immediately respond to an email seeking answers on how many customers may have been affected and how long the bug may have been exposing data. The company’s knowledge base article confirms the patch timing—June 5—but leaves customers still waiting for the missing details: the scope. the data. and the real-world impact.
ServiceNow bug data exposure cybersecurity cloud security unauthenticated access enterprise customers knowledge base Reddit IP indicator
So basically ServiceNow got hacked and then “patched” it? That’s always how these stories go.
I saw this on Reddit and immediately checked nothing because I don’t even know what a ServiceNow instance is. If it’s exposed without auth then… anyone could see company stuff??
That IP address number they mentioned (51.159.98.241) sounds like some random AWS thing so I don’t buy the whole “indicator of compromise” part. Like could just be normal traffic? Also how is it “unauthed” if there’s still network firewalls…
This is why I hate cloud vendors. They say it was only Australian customers but then people online are like “it happened to me too.” If you’re running HR/onboarding on there, that’s passwords and keys… so yeah, who even knows what was exposed.