Disclosure of vulnerability discovered and reported by our employees (CVE-2025-3648)

The vulnerability discovered and reported by SB Technology employee Umi Matsushita was made public on July 8th, and his name was listed in the acknowledgements.

■ Overview
CVE-2025-3648
Data inference through conditional ACLs in the Now Platform
*Now Platform is a cloud platform provided by ServiceNow.

■ Affected systems
All versions of the ServiceNow Now Platform

■ Anticipated impact
In certain conditional access control list (ACL) configurations, this vulnerability could allow unauthenticated and authenticated users to use range query requests to infer instance data that they are not intended to access.

■ Measures
Please apply the security updates provided by ServiceNow in May 2025.

Click here for more details.
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-3648

Vendor Information
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567

*The company names, product names, and service names mentioned in this release are trademarks or registered trademarks of our company or each company or organization.

Contact information regarding this matter

● SB Technology Corp. Public Relations Department
E-mail: sbt-press@tech.softbank.co.jp

Disclosure of vulnerability information discovered and reported by our employees (CVE-2025-3648)