ServiceNow Unauthenticated REST API Endpoint Exploited Across Enterprise Customer Tenants — Silent Patch Applied June 5, Weeks After Internal Knowledge

A Scripted REST Resource in ServiceNow shipped with 'requires_authentication=false', allowing unauthenticated actors to query sensitive customer instance tables — including IT tickets, security incident reports, employee records, and embedded API keys — with zero credentials. Exploitation activity was detected June 2–3 from IP 51.159.98.241 hitting /api/now/related_list_edit/create; ServiceNow silently patched hosted instances on June 5 and notified affected customers only through a gated support bulletin (KB3067321), with internal evidence suggesting the company had logged the flaw as early as April 7. Affected organizations should immediately audit transaction logs for Guest-user activity on that endpoint, rotate any credentials or tokens embedded in recent support tickets, and treat the exposure window as a confirmed breach for GDPR and HIPAA notification clock purposes.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.