Count(er) Strike – Data Inference Vulnerability in ServiceNow
Varonis Threat Labs discovered a high-severity vulnerability in ServiceNow’s platform that could lead to significant data exposure and exfiltration, including PII, credentials, and other sensitive information.
ServiceNow is a widely used platform with 85% of its customer base being in the Fortune 500. Our researchers were able to exploit the record count UI element on list pages, using enumeration techniques and query filters to infer and expose sensitive data from various tables within ServiceNow.
This vulnerability impacted several popular and common ServiceNow solutions and tables and is relatively simple to exploit as it only requires minimal access to the target tables. This makes the vulnerability a major concern for organizations using the platform, as sensitive data could be accessed and exploited unknowingly by users who are unaware they have access to it.
Varonis researchers initially discovered and informed ServiceNow of this vulnerability, which we’ve named Count(er) Strike, in February 2024. ServiceNow issued a patch on July 8, 2025 (CVE-2025-3648).