cbcvebase.
CVE-2024-5178
published 2024-07-10

CVE-2024-5178: ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This…

PriorityP276medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
33.59%
98.2th percentile
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

Affected

12 ranges
VendorProductVersion rangeFixed in
servicenownow_platform< Utah Patch 10 Hot Fix 3Utah Patch 10 Hot Fix 3
servicenownow_platform< Utah Patch 10a Hot Fix 2Utah Patch 10a Hot Fix 2
servicenownow_platform< Utah Patch 10b Hot Fix 1Utah Patch 10b Hot Fix 1
servicenownow_platform< Vancouver Patch 6 Hot Fix 2Vancouver Patch 6 Hot Fix 2
servicenownow_platform< Vancouver Patch 7 Hot Fix 3bVancouver Patch 7 Hot Fix 3b
servicenownow_platform< Vancouver Patch 8 Hot Fix 4Vancouver Patch 8 Hot Fix 4
servicenownow_platform< Vancouver Patch 9 Hot Fix 1Vancouver Patch 9 Hot Fix 1
servicenownow_platform< Vancouver Patch 10Vancouver Patch 10
servicenownow_platform< Washington DC Patch 1 Hot Fix 3bWashington DC Patch 1 Hot Fix 3b
servicenownow_platform< Washington DC Patch 2 Hot Fix 2Washington DC Patch 2 Hot Fix 2
servicenownow_platform< Washington DC Patch 3 Hot Fix 2Washington DC Patch 3 Hot Fix 2
servicenownow_platform< Washington DC Patch 4Washington DC Patch 4

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-5178 is chained with CVE-2024-4879 and CVE-2024-5217 to achieve full database access; detection should look for sequential exploitation attempts across all three CVEs on the same source IP
  • Exploitation pattern involves a two-stage payload: first a payload injection to check for a specific result in the server response, then a second-stage payload that checks database contents and dumps user lists and credentials
  • Successful exploitation results in dumping of user lists and account credentials — monitor ServiceNow logs for unexpected credential or user-list enumeration responses
  • Public GitHub exploits and bulk network scanners for CVE-2024-4879 (chained with CVE-2024-5178) were rapidly weaponized; monitor for bulk scanning traffic targeting ServiceNow instances
  • 36 unique threat IPs were observed targeting CVE-2024-5178 in a 24-hour window; use GreyNoise tag-based blocklists to identify and block these IPs
  • Targeting has been geographically concentrated — over 70% of sessions in the past week directed at systems in Israel; also Lithuania, Japan, and Germany. Prioritize monitoring for ServiceNow instances in these regions
  • Threat actors are targeting ServiceNow instances exposed to the internet; FOFA scans show ~300,000 exposed instances — restrict management interface exposure and monitor internet-facing ServiceNow endpoints
  • Underground forum chatter indicates high interest in access to IT service desks and corporate portals via ServiceNow flaws; monitor for credential stuffing or unauthorized logins following exploitation attempts
  • ·CVE-2024-5178 affects the Washington DC, Vancouver, and Utah Now Platform releases; patches were released during the June 2024 patching cycle — ensure detection scope covers all three release lines
  • ·ServiceNow's own investigation did not find evidence that its hosted (cloud) instances were impacted; exploitation activity described by Resecurity may be limited to self-hosted/on-premises deployments

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.