ServiceNow has told enterprise customers that a software bug on its cloud platform allowed anyone on the internet to access their sensitive business data without authentication. The company patched the vulnerability on June 5, but not before security researchers accessed multiple customer instances to test the flaw.
The incident highlights the risks that come with storing critical business data on third-party cloud platforms. ServiceNow hosts internal workflows for thousands of companies, including IT support tickets, HR systems, and automated processes that often contain passwords, credentials, and other sensitive information.
A knowledge base article from ServiceNow, which the company has placed behind a login wall but was shared on Reddit, confirms the bug allowed unauthenticated users to gain access to ServiceNow-hosted data. The vulnerability meant anyone could potentially view customer data stored in ServiceNow instances without needing passwords or other credentials.
ServiceNow spokesperson Courtney Johnson told reporters the security incident was not a malicious hack. Instead, security researchers discovered and accessed the exposed data as part of bug bounty research. “The security researchers have advised their activity was solely for bug bounty submissions and no data was used or retained,” Johnson said.
The company says it has been in contact with the researchers who initially found the vulnerability. However, ServiceNow has not disclosed which researchers were involved or how many customer accounts were accessed during the testing period.
This type of data exposure bug presents a particularly challenging situation for enterprise customers. Unlike typical security incidents where companies can implement additional protections, customers had no way to defend against this vulnerability until ServiceNow issued the patch. The bug was built into the platform itself.
ServiceNow’s platform is used by thousands of enterprise customers to automate internal business processes. Companies build workflows that connect to various apps and databases, handling tasks like:
- Employee onboarding and HR processes
- IT support ticket resolution
- Automated chatbot responses
- Database and system integrations
This broad access makes cloud platforms like ServiceNow high-value targets for attackers. Customer support tickets alone often contain passwords, API keys, and system credentials that could be used to access other company systems.
ServiceNow initially said the issue affected customer instances running its Australia releases. However, several Reddit users report finding evidence of external access to ServiceNow instances running other software versions, suggesting the problem may have been more widespread.
Network security teams are now checking their logs for suspicious activity. Security researchers have shared the IP address 51.159.98.241 as an indicator that organizations should look for in their access logs to determine if their data was viewed during the vulnerability window.
The incident comes as enterprises increasingly rely on cloud platforms to handle sensitive business operations. While these platforms offer convenience and automation capabilities, they also create single points of failure that can expose vast amounts of corporate data when security issues arise.