Nearly a year after a trio of serious vulnerabilities in the ServiceNow platform were first disclosed and patched, attackers are back—and this time with precision. Security researchers are now sounding the alarm over a sharp uptick in exploitation attempts, targeting unpatched ServiceNow instances still vulnerable to full database compromise.
Threat intelligence firm GreyNoise reported this week a “notable resurgence of in-the-wild activity” aimed at three CVEs—CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.
These bugs were initially uncovered by researchers at Assetnote in May 2024 and quietly patched by ServiceNow the same day. Technical details, however, were only made public months later—giving defenders time to react, but also starting the countdown for opportunistic threat actors.
That countdown appears to be over.
According to GreyNoise telemetry, attackers have ramped up scanning and exploit attempts, particularly against targets in Israel, which made up 70% of recent activity. Germany, Japan, and Lithuania also saw spikes. The firm noted that these vulnerabilities can be chained together to grant unauthenticated, full database access—a potential nightmare scenario for enterprise platforms used to store sensitive HR and employee data.
While ServiceNow emphasized that it “has not observed any customer impact from an attack campaign,” the scope of potential exposure is concerning. On-premise instances, in particular, remain susceptible, as they require customers—not the vendor—to stay current on security patches.
“This speaks specifically to organizations using an on-premise flavor of SaaS software,” said Aaron Costello, Chief of SaaS Security Research at AppOmni. “It is crucial to implement a process for being alerted to the latest security patches released by vendors, and subsequently review and apply them.”
Costello warned that while cloud-hosted platforms benefit from centralized patching, on-prem systems are left to fend for themselves—creating fertile ground for attacks when updates lag behind.
“These attacks are not surprising in the slightest,” he said. “Unfortunately, unlike cloud-hosted versions of the software, the onus of keeping up to date with security patches remains with the customer when it comes to on-premise versions.”
What makes these flaws especially dangerous, according to Costello, is that attackers don’t need a foothold to breach systems. “The fact that ‘full database access’ could be achieved by an entirely unauthenticated actor is unique,” he said. “Generally speaking, issues as severe as this that are discovered in SaaS software typically require some form of initial foothold.”
The vulnerabilities first made headlines when Resecurity, a U.S.-based cybersecurity firm, reported active targeting of the bugs by foreign threat actors. The victims included a Middle Eastern government agency, an energy company, a data center operator, and a software developer—signaling both a wide attack surface and strategic targeting.
Imperva, another security vendor, backed up those findings in July 2024 with its own data showing attack attempts across 6,000 sites, most notably in the financial services sector.
Costello believes the industry should treat these findings as a wake-up call. “There are likely dormant, critical security vulnerabilities that exist today in mature software used by the largest companies in the world,” he said. “Ultimately, the only saving grace was the level of technical expertise that is required to discover a vulnerability like this.”
While the average enterprise might feel powerless against vendor-side flaws, Costello outlined steps that could have helped mitigate the ServiceNow risk—such as deploying IP allowlisting or other network access controls to prevent unauthenticated, remote exploitation.
“Organizations should continue striving to implement security guardrails through proper configuration of their SaaS wherever possible,” he said.
As SaaS adoption continues to accelerate across every sector—from healthcare to finance to government—the cost of complacency grows. For on-premise deployments, particularly, the lesson is clear: patch fast or risk exposure.
Because while vendors may patch promptly, attackers are increasingly willing to wait.