GreyNoise has identified a notable resurgence of in-the-wild activity targeting three ServiceNow vulnerabilities

  • CVE-2024-4879 (Critical)
  • CVE-2024-5217 (Critical)
  • CVE-2024-5178 (Medium)

All three vulnerabilities have seen attacker interest in the past 24 hours. 

Over 70% of sessions in the past week were directed at systems in Israel. Over the past week, targeted systems have been detected in Israel, Lithuania, Japan, and Germany, though only Israel and Lithuania saw activity in the past 24 hours. 

These vulnerabilities reportedly may be chained together for full database access.

Notable Increase in Attacker Interest

GreyNoise has recorded the highest number of unique IPs targeting these vulnerabilities in the past month. The number of threat IPs observed in the past 24 hours — with unique IPs in the past 30 days — is as follows: 

CVE-2024-5178 (ServiceNow Input Validation)

  • 36 threat IPs in Past 24hrs 
BLOCK MALICIOUS IPS

This vulnerability is not in CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2024-4879 (ServiceNow Template Injection)

  • 48 threat IPs in Past 24hrs
BLOCK MALICIOUS IPS

CVE-2024-5217 (ServiceNow Input Validation)

  • 48 threat IPs in Past 24hrs 
BLOCK MALICIOUS IPS

Recommended Defensive Actions

Organizations using ServiceNow should take the following steps immediately: 

  • Apply Security Patches: Ensure all affected ServiceNow instances are updated with the latest security fixes.
  • Restrict Access: Limit exposure of management interfaces to prevent unauthorized access.
  • Monitor Trends: Use GreyNoise to track activity related to these vulnerabilities. 

GreyNoise will continue monitoring this evolving situation and provide real-time intelligence on observed activity. Leverage the GreyNoise Visualizer to stay updated with the latest. 

667dd40ebb8095e89f275b0d_subscribe-graphic-left

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account