A significant security vulnerability has been uncovered in ServiceNow’s platform that, if exploited successfully, could lead to data exposure and exfiltration.
This vulnerability, identified as CVE-2025-3648 with a CVSS score of 8.2, involves data inference in the Now Platform through conditional access control list (ACL) rules. It has been named Count(er) Strike.
“A vulnerability has been detected in the Now Platform that could potentially allow unauthorized data inference,” ServiceNow stated in a bulletin. “In specific ACL configurations, this vulnerability could enable both unauthenticated and authenticated users to utilize range query requests to infer instance data that should not be accessible to them.”
Cybersecurity firm Varonis, which found and reported the flaw in February 2024, mentioned that it could have been exploited by malicious entities to gain unauthorized access to sensitive information, such as personally identifiable information (PII) and credentials.
The vulnerability primarily affects the record count UI element on list pages, allowing for the easy inference and exposure of confidential data from various tables within ServiceNow.
“This vulnerability could have potentially impacted all ServiceNow instances, affecting hundreds of tables,” Varonis researcher Neta Armon explained in an analysis.
“Most worrisome, this vulnerability was relatively simple to exploit and only required minimal table access, such as a weak user account within the instance or even an anonymously registered user, bypassing the need for privilege escalation and leading to the exposure of sensitive data.”
ServiceNow has introduced new security measures, including Query ACLs, Security Data Filters, and Deny-Unless ACLs, in response to the discovery to mitigate the risk posed by the data inference blind query attack. While there is no evidence of exploitation in the wild, all ServiceNow customers are advised to implement necessary safeguards on sensitive tables.
“ServiceNow customers should be aware that query range Query ACLs will soon default to deny, so they should create exclusions to maintain authorized user ability to perform such actions,” Armon noted.
DLL Hijacking Vulnerability in Lenovo’s TrackPoint Quick Menu Software
TrustedSec recently disclosed a privilege escalation vulnerability (CVE-2025-1729) in Lenovo computers’ TrackPoint Quick Menu software (“TPQMAssistant.exe”) that could allow a local attacker to elevate privileges through a DLL hijacking flaw.
The vulnerability has been patched in version 1.12.54.0 released on July 8, 2025, following responsible disclosure earlier in January.
“The directory containing ‘TPQMAssistant.exe’ is writable by standard users, a significant red flag,” noted security researcher Oddvar Moe stated. “The folder’s permissions allow the CREATOR OWNER to write files, meaning any local user can drop files into this location.”
An attacker could place a malicious version of ‘hostfxr.dll’ in the directory “C: \\ProgramDatalLenovolTPQM\\Assistant” to hijack control flow when the binary is executed, leading to arbitrary code execution.
Microsoft Addresses Kerberos Denial-of-Service (DoS) Vulnerability
Furthermore, Microsoft recently addressed an out-of-bounds read flaw in Windows Kerberos’ Netlogon protocol (CVE-2025-47978, CVSS score: 6.5), allowing an authorized attacker to disrupt service over a network. This vulnerability was fixed in Microsoft’s Patch Tuesday updates for July 2025.
Silverfort, naming the vulnerability NOTLogon, highlighted that it enables any “domain-joined machine with minimal privileges to send a specially-crafted authentication request that will crash a domain controller and cause a full reboot.”
“This vulnerability does not require elevated privileges—only standard network access and a weak machine account are necessary. In typical enterprise environments, any low-privileged user can create such accounts by default,” explained security researcher Dor Segal said.
