CVE-2024-4879
published 2024-07-10CVE-2024-4879: ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
99.98%
100.0th percentile
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_platform | < Utah Patch 10 Hot Fix 3 | Utah Patch 10 Hot Fix 3 |
| servicenow | now_platform | < Utah Patch 10a Hot Fix 2 | Utah Patch 10a Hot Fix 2 |
| servicenow | now_platform | < Vancouver Patch 6 Hot Fix 2 | Vancouver Patch 6 Hot Fix 2 |
| servicenow | now_platform | < Vancouver Patch 7 Hot Fix 3b | Vancouver Patch 7 Hot Fix 3b |
| servicenow | now_platform | < Vancouver Patch 8 Hot Fix 4 | Vancouver Patch 8 Hot Fix 4 |
| servicenow | now_platform | < Vancouver Patch 9 | Vancouver Patch 9 |
| servicenow | now_platform | < Vancouver Patch 10 | Vancouver Patch 10 |
| servicenow | now_platform | < Washington DC Patch 1 Hot Fix 2b | Washington DC Patch 1 Hot Fix 2b |
| servicenow | now_platform | < Washington DC Patch 2 Hot Fix 2 | Washington DC Patch 2 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 3 Hot Fix 1 | Washington DC Patch 3 Hot Fix 1 |
| servicenow | now_platform | < Washington DC Patch 4 | Washington DC Patch 4 |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Egs.addErrorMessage(668.5*2);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E↗
url/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly:core%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Ez=new%20Packages.java.io.File(%22%22).getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22));u=new%20SecurelyAccess(z.concat(%22/conf/glide.db.properties%22)).getBufferedReader();s=%22%22;while((q=u.readLine())!==null)s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E↗
url/login.do?jvar_page_title=gs.addErrorMessage(1337*1337);
path/login.do
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →POST-based exploitation also observed: look for POST requests to /login.do where the request body contains `jvar_page_title=` (hex-encoded as `jvar_page_title|3d|`) followed by javascript or style keywords, as matched by the Emerging Threats Snort rule (sid:2060409).
- →Second-stage payload attempts to read `/conf/glide.db.properties` via `Packages.java.io.File` and `SecurelyAccess` to exfiltrate database credentials. Monitor HTTP responses from /login.do for patterns matching `glide.db.*=`, `jdbc.*=`, or `database.*=`. ↗
- →The ongoing exploitation utilizes a payload injection to check for a specific result in the server response, followed by a second-stage payload that checks the database contents, ultimately dumping user lists and account credentials (hashed or plaintext). ↗
- →CVE-2024-4879 is actively chained with CVE-2024-5178 and CVE-2024-5217 for full database access. Detection logic should correlate exploitation attempts across all three CVEs on the same source IP. ↗
- →Use Shodan favicon hash `1701804003` or FOFA `icon_hash=1701804003` to identify internet-exposed ServiceNow instances for asset inventory and attack surface monitoring.
- ·ServiceNow's own investigation found no evidence that its hosted instances were impacted; the vendor states hosted instances received fixes on May 14, 2024, well before the July 10 public patch. Self-hosted and partner-managed instances are the primary risk surface. ↗
- ·The Nuclei template uses a single GET request with arithmetic canary (1337*1337=1787569) for detection; this may produce false negatives on patched instances that still reflect numeric strings in error messages for unrelated reasons. Confirm with the second-stage file-read payload before concluding exploitation.
- ·The Emerging Threats Snort rule (sid:2060409) covers both CVE-2024-4879 and CVE-2024-5217 in a single signature and is scoped to plaintext (non-TLS) traffic only (`tls_state plaintext`). Encrypted ServiceNow traffic will not be inspected without TLS inspection in place.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-355h-wpr8-m2qx: ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases
ghsa_unreviewed·2024-07-10
CVE-2024-4879 [CRITICAL] CWE-1287 GHSA-355h-wpr8-m2qx: ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
VulnCheck
ServiceNow Improper Input Validation Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-4879 [CRITICAL] CWE-1287 ServiceNow Improper Input Validation Vulnerability
ServiceNow Improper Input Validation Vulnerability
ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.
Affected: ServiceNow Utah, Vancouver, and Washington DC Now Platform
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.imperva.com/blog/imperva-customers-protected-against-critical-servicenow-vulnerability/; https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabili
CISA
ServiceNow Improper Input Validation Vulnerability
cisa·2024-07-29·CVSS 9.3
CVE-2024-4879 [CRITICAL] CWE-1287 ServiceNow Improper Input Validation Vulnerability
Vulnerability: ServiceNow Improper Input Validation Vulnerability
Affected: ServiceNow Utah, Vancouver, and Washington DC Now Platform
ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154; https://nvd.nist.gov/vuln/detail/CVE-2024-4879
Remediation Due Date: 2024-08-19
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060429; rev:1; me
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060406; rev:
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060428; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27
Exploit-DB
ServiceNow Multiple Versions - Input Validation & Template Injection
exploitdb·2025-08-11·CVSS 9.3
CVE-2024-4879 [CRITICAL] ServiceNow Multiple Versions - Input Validation & Template Injection
ServiceNow Multiple Versions - Input Validation & Template Injection
---
#!/usr/bin/env python3
"""
# Title : ServiceNow Multiple Versions - Input Validation & Template Injection
# Date: 2025-01-31
# Author: ibrahimsql
# Vendor: ServiceNow
# Version: Vancouver, Washington DC, Utah (various patches)
# affected from 0 before Utah Patch 10 Hot Fix 3
# affected from 0 before Utah Patch 10a Hot Fix 2
# affected from 0 before Vancouver Patch 6 Hot Fix 2
# affected from 0 before Vancouver Patch 7 Hot Fix 3b
# affected from 0 before Vancouver Patch 8 Hot Fix 4
# affected from 0 before Vancouver Patch 9
# affected from 0 before Vancouver Patch 10
# affected from 0 before Washington DC Patch 1 Hot Fix 2b
# affected from 0 before Washington DC Patch 2 Hot Fix 2
# affected from 0 before Washington D
Nuclei
ServiceNow UI Macros - Template Injection
nuclei·CVSS 9.3
CVE-2024-4879 [CRITICAL] ServiceNow UI Macros - Template Injection
ServiceNow UI Macros - Template Injection
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Template:
id: CVE-2024-4879
info:
name: ServiceNow UI Macros - Template Injection
author: DhiyaneshDk,ritikchaddha
severity: critical
description: |
ServiceNow has addressed an i
Greynoiseio
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
blogs_greynoiseio·2025-03-18·CVSS 9.3
[CRITICAL] Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
29th July – Threat Intelligence Report
blogs_checkpoint·2024-07-29
CVE-2024-32484 29th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse locations due to the attack for a few days. No ransomware group has publicly claimed responsibility for the attack.
American cybersecurity firm Kn
Bleepingcomputer
Critical ServiceNow RCE flaws actively exploited to steal credentials
blogs_bleepingcomputer·2024-07-25·CVSS 9.3
[CRITICAL] Critical ServiceNow RCE flaws actively exploited to steal credentials
## Critical ServiceNow RCE flaws actively exploited to steal credentials
## Bill Toulas
Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks.
This malicious activity was reported by Resecurity , which, after monitoring it for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms.
Although the vendor released security updates for the flaws on July 10, 2024, tens of thousands of systems potentially remain vulnerable to attacks.
## Exploitation details
ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations.
It is widely adopted across various industri
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploithttps://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4879
2024-07-10
Published
2024-07-29
Added to CISA KEV
Exploited in the wild