SOCRadar® Cyber Intelligence Inc. | ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now
Home

Resources

Blog
Nov 01, 2024
4 Mins Read

ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now

ServiceNow’s Now Platform, known for its AI-driven tools that help business processes and increase productivity, recently encountered two critical vulnerabilities. These newly disclosed flaws (CVE-2024-8923 and CVE-2024-8924) pose serious risks to organizations across industries by potentially allowing unauthorized access and exposing sensitive data.

The Now Platform acts as the backbone for ServiceNow’s suite of products, providing a secure, cloud-based environment where organizations manage workflows and automate key functions. Its versatility and broad adoption have made it essential to business operations globally, but they also make it a prime target for cyber threats.

Details of the Now Platform Vulnerabilities CVE-2024-8923 & CVE-2024-8924

Below are the details of the two ServiceNow vulnerabilities, CVE-2024-8923 and CVE-2024-8924, along with the specific risks they present to organizations.

CVE-2024-8923 (CVSS 9.8):

The first vulnerability, CVE-2024-8923, is a critical Sandbox Escape issue affecting the Now Platform. This flaw arises from an input validation error in the Now Platform, which could allow unauthenticated users to perform Remote Code Execution (RCE).

By exploiting this flaw, attackers could potentially gain unauthorized access and control within the context of the platform, posing a risk of data exposure and compromising platform integrity.

CVE-2024-8923 is known to affect releases prior to Xanadu General Availability.

Vulnerability card of CVE-2024-8923 (SOCRadar Vulnerability Intelligence)

Vulnerability card of CVE-2024-8923 (SOCRadar Vulnerability Intelligence)

CVE-2024-8924 (CVSS: 7.5):

This second vulnerability is a blind SQL injection flaw. While not as severe as CVE-2024-8923, it remains a critical concern, particularly for organizations with sensitive data at risk of unauthorized access.

CVE-2024-8924 could allow attackers to retrieve unauthorized data by exploiting input fields within the Now Platform. This flaw can potentially expose confidential data, creating risks for organizational data integrity and confidentiality.

CVE-2024-8924 affects Xanadu, Washington DC, and earlier Now Platform releases.

Potential Exposure

A search on FOFA reveals that over 130,000 ServiceNow instances are exposed online, with more than 90,000 based in the United States. This extensive exposure highlights how critical it is for organizations to promptly apply security patches to address vulnerabilities like CVE-2024-8923 and CVE-2024-8924.

Results for ServiceNow products on FOFA

Results for ServiceNow products on FOFA

Given ServiceNow’s Now Platform’s role in automating essential business functions, unpatched instances present a heightened risk, potentially allowing unauthorized access to sensitive data and critical systems.

ServiceNow’s Disclosure and Patch Updates

On October 29, 2024, ServiceNow disclosed the new flaws CVE-2024-8923 and CVE-2024-8924 through its advisories, stating that they were addressed in patch releases during August and October 2024, respectively. The company strongly encourages organizations to apply the security patches if they have not yet done so.

For further details on the updates and fixed versions, see ServiceNow’s advisories: KB1706070 and KB1706072.

Prevent Exploitation, Monitor Your Vulnerabilities with SOCRadar

Recent history has shown how unpatched ServiceNow vulnerabilities can lead to serious security incidents. In July 2024, attackers leveraged vulnerabilities CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, specifically targeting the ServiceNow MID Server component.

Consistent patching, along with continuous vulnerability monitoring, can significantly reduce exposure to threats. SOCRadar’s Vulnerability Intelligence and Attack Surface Management (ASM) modules support these efforts by providing timely alerts on emerging vulnerabilities, and delivering insights into potential risks threatening your assets. Here are some key features of the SOCRadar XTI platform:

  • Asset Discovery for a complete view of your exposure
  • Continuous Monitoring of internet-facing assets
  • Real-Time Alerts for critical vulnerabilities and security issues
  • Risk-Based Prioritization to tackle high-impact threats
  • Exploitability Insights on active threats
  • Dark Web Monitoring for alerts on leaked exploits and vulnerability chatter
SOCRadar’s Vulnerability Intelligence module page

SOCRadar’s Vulnerability Intelligence module page

With SOCRadar XTI, your organization can maintain a proactive stance, detecting and mitigating vulnerabilities before they become exploitable risks.