ServiceNow Zero-Day Exploited for Two Months Before Emergency Patch

ServiceNow deployed emergency security updates to customer instances on June 5, 2026, after discovering active exploitation of an authentication bypass vulnerability that allowed unauthenticated attackers to access sensitive customer data. The incident raises serious questions about vendor response times and internal security prioritization after evidence emerged that ServiceNow knew about the flaw for nearly two months before patching it.

Timeline of a Known Vulnerability

According to user reports on Reddit, ServiceNow received internal notification of the vulnerability on April 7, 2026. The company classified it as non-urgent and scheduled remediation for a future update. This decision proved costly when threat actors began exploiting the flaw on June 2, 2026—a full 56 days after initial internal disclosure.

The vulnerability resurfaced through external channels on June 3-4, when multiple customers submitted similar findings to ServiceNow's bug bounty program. ServiceNow later acknowledged receiving a confidential bug bounty submission on April 22, 2026, more than two weeks after the internal report. The company deployed patches within 24-48 hours of the June bug bounty submissions, but only after detecting anomalous activity indicating active exploitation.

Technical Details and Attack Surface

The vulnerability centers on an endpoint configuration issue that allowed unauthenticated users to gain elevated access to ServiceNow instances under specific circumstances. ServiceNow's security update reconfigured the vulnerable endpoint to restrict access to authenticated users only. The flaw does not yet have a CVE identifier assigned.

The attack surface is narrower than a platform-wide vulnerability but still significant. According to ServiceNow's advisory, customers running the Australia platform release or those who made certain configuration changes to instances on pre-Australia releases were vulnerable. The company detected successful queries against instance tables for a subset of affected customers.

Confirmed Exploitation and Blast Radius

ServiceNow confirmed detecting anomalous activity related to the security issue and observed evidence of successful queries of instance tables. The company notified impacted customers directly but declined to specify the number of affected organizations. A ServiceNow spokesperson emphasized that the incident "was not broad," affecting only a subset of customers.

The malicious activity timeline is narrow but concerning. Exploitation began on June 2, 2026, and continued until ServiceNow deployed the emergency patch on June 5. This three-day window gave attackers time to systematically query instance tables across vulnerable customer environments. The nature of the data accessed depends on each customer's ServiceNow configuration and the tables stored in their instances.

Supply Chain Implications

ServiceNow functions as critical infrastructure for IT service management across thousands of enterprises globally. The platform typically contains sensitive operational data including user credentials, configuration management databases (CMDBs), incident records, change management workflows, and privileged access information. Unauthorized access to this data creates immediate operational security risks and potential downstream supply chain exposure.

The incident demonstrates the risk concentration inherent in enterprise SaaS platforms. A single vulnerability in ServiceNow's hosted infrastructure created exposure across multiple customer organizations simultaneously. While ServiceNow's ability to push updates centrally enabled rapid remediation, the same architecture meant attackers could potentially scale their reconnaissance across multiple victims during the exploitation window.

Vendor Response and Communication Gaps

ServiceNow's response timeline raises questions about internal vulnerability triage processes. The 60-day gap between initial internal disclosure and patching suggests either inadequate severity assessment or insufficient prioritization of authentication bypass vulnerabilities. The company only accelerated patching after detecting active exploitation and receiving external bug bounty submissions.

The company initially required customer authentication to access its security advisory, limiting broader security community awareness. ServiceNow prioritized direct notification to affected customers over public disclosure, a decision that aligns with minimizing panic but may have delayed defensive action by security teams monitoring public threat intelligence.

Immediate Actions for ServiceNow Customers

ServiceNow automatically applied security updates to hosted customer instances on June 5, 2026. Organizations do not need to manually patch but should verify the update was applied successfully. Customers running the Australia platform release or those with custom endpoint configurations on earlier releases should prioritize the following actions:

• Review ServiceNow access logs from June 2-5, 2026 for anomalous unauthenticated queries, particularly against instance tables containing sensitive configuration or user data
• Audit ServiceNow instance tables to identify what data was accessible via the vulnerable endpoint and assess downstream risk based on data sensitivity
• Rotate credentials and API keys stored in ServiceNow instances if logs indicate successful unauthorized queries during the exploitation window
• Contact ServiceNow support to confirm whether your instance was among those identified with successful exploitation activity
• Review and tighten endpoint access controls and authentication requirements across ServiceNow integrations and APIs

Strategic Considerations for IT Leadership

This incident reinforces the need for defense-in-depth strategies that assume SaaS platform compromise. ServiceNow instances should be treated as high-value targets requiring enhanced monitoring, data classification, and access controls. Organizations should implement additional authentication layers for ServiceNow access, maintain audit logging with extended retention, and deploy anomaly detection for unusual query patterns.

The 60-day vulnerability window demonstrates that vendor security timelines do not always align with customer risk tolerance. IT leaders should establish vendor security SLAs that define maximum acceptable response times for critical vulnerabilities in essential infrastructure platforms. Security teams should also maintain independent monitoring of SaaS platform activity rather than relying solely on vendor-provided security updates and notifications.

Finally, the incident highlights the importance of data minimization in SaaS platforms. Organizations should audit what sensitive data resides in ServiceNow instances and implement data retention policies that limit exposure windows. Privileged credentials, production configuration data, and sensitive operational information should be stored with additional encryption and access controls beyond platform defaults.