CVE-2024-5178
published 2024-07-10CVE-2024-5178: ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This…
PriorityP276medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
33.59%
98.2th percentile
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_platform | < Utah Patch 10 Hot Fix 3 | Utah Patch 10 Hot Fix 3 |
| servicenow | now_platform | < Utah Patch 10a Hot Fix 2 | Utah Patch 10a Hot Fix 2 |
| servicenow | now_platform | < Utah Patch 10b Hot Fix 1 | Utah Patch 10b Hot Fix 1 |
| servicenow | now_platform | < Vancouver Patch 6 Hot Fix 2 | Vancouver Patch 6 Hot Fix 2 |
| servicenow | now_platform | < Vancouver Patch 7 Hot Fix 3b | Vancouver Patch 7 Hot Fix 3b |
| servicenow | now_platform | < Vancouver Patch 8 Hot Fix 4 | Vancouver Patch 8 Hot Fix 4 |
| servicenow | now_platform | < Vancouver Patch 9 Hot Fix 1 | Vancouver Patch 9 Hot Fix 1 |
| servicenow | now_platform | < Vancouver Patch 10 | Vancouver Patch 10 |
| servicenow | now_platform | < Washington DC Patch 1 Hot Fix 3b | Washington DC Patch 1 Hot Fix 3b |
| servicenow | now_platform | < Washington DC Patch 2 Hot Fix 2 | Washington DC Patch 2 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 3 Hot Fix 2 | Washington DC Patch 3 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 4 | Washington DC Patch 4 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-5178 is chained with CVE-2024-4879 and CVE-2024-5217 to achieve full database access; detection should look for sequential exploitation attempts across all three CVEs on the same source IP ↗
- →Exploitation pattern involves a two-stage payload: first a payload injection to check for a specific result in the server response, then a second-stage payload that checks database contents and dumps user lists and credentials ↗
- →Successful exploitation results in dumping of user lists and account credentials — monitor ServiceNow logs for unexpected credential or user-list enumeration responses ↗
- →Public GitHub exploits and bulk network scanners for CVE-2024-4879 (chained with CVE-2024-5178) were rapidly weaponized; monitor for bulk scanning traffic targeting ServiceNow instances ↗
- →36 unique threat IPs were observed targeting CVE-2024-5178 in a 24-hour window; use GreyNoise tag-based blocklists to identify and block these IPs ↗
- →Targeting has been geographically concentrated — over 70% of sessions in the past week directed at systems in Israel; also Lithuania, Japan, and Germany. Prioritize monitoring for ServiceNow instances in these regions ↗
- →Threat actors are targeting ServiceNow instances exposed to the internet; FOFA scans show ~300,000 exposed instances — restrict management interface exposure and monitor internet-facing ServiceNow endpoints ↗
- →Underground forum chatter indicates high interest in access to IT service desks and corporate portals via ServiceNow flaws; monitor for credential stuffing or unauthorized logins following exploitation attempts ↗
- ·CVE-2024-5178 affects the Washington DC, Vancouver, and Utah Now Platform releases; patches were released during the June 2024 patching cycle — ensure detection scope covers all three release lines ↗
- ·ServiceNow's own investigation did not find evidence that its hosted (cloud) instances were impacted; exploitation activity described by Resecurity may be limited to self-hosted/on-premises deployments ↗
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qm6x-v3jw-cvp7: ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases
ghsa_unreviewed·2024-07-10
CVE-2024-5178 [MEDIUM] CWE-184 GHSA-qm6x-v3jw-cvp7: ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
VulnCheck
ServiceNow Washington DC, Vancouver, and Utah Now Platform Administrative User Information Disclosure Vulnerability
vulncheck·2024·CVSS 6.9
CVE-2024-5178 [MEDIUM] ServiceNow Washington DC, Vancouver, and Utah Now Platform Administrative User Information Disclosure Vulnerability
ServiceNow Washington DC, Vancouver, and Utah Now Platform Administrative User Information Disclosure Vulnerability
ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Affected: ServiceNow Washington DC, Vancouver, and Utah Now Platform
Required Action: Apply remediations or mitigations per vendor instructions or discontinue
No detection rules found.
No public exploits indexed.
Greynoiseio
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
blogs_greynoiseio·2025-03-18·CVSS 9.3
[CRITICAL] Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
29th July – Threat Intelligence Report
blogs_checkpoint·2024-07-29
CVE-2024-32484 29th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse locations due to the attack for a few days. No ransomware group has publicly claimed responsibility for the attack.
American cybersecurity firm Kn
Bleepingcomputer
Critical ServiceNow RCE flaws actively exploited to steal credentials
blogs_bleepingcomputer·2024-07-25·CVSS 9.3
[CRITICAL] Critical ServiceNow RCE flaws actively exploited to steal credentials
## Critical ServiceNow RCE flaws actively exploited to steal credentials
## Bill Toulas
Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks.
This malicious activity was reported by Resecurity , which, after monitoring it for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms.
Although the vendor released security updates for the flaws on July 10, 2024, tens of thousands of systems potentially remain vulnerable to attacks.
## Exploitation details
ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations.
It is widely adopted across various industri
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312
2024-07-10
Published
Exploited in the wild