SB Technology Corp.
The vulnerability discovered and reported by SB Technology employee Umi Matsushita was made public on July 8th, and his name was listed in the acknowledgements.
■ Overview
CVE-2025-3648
Data inference through conditional ACLs in the Now Platform
*Now Platform is a cloud platform provided by ServiceNow.
■ Affected systems
All versions of the ServiceNow Now Platform
■ Anticipated impact
In certain conditional access control list (ACL) configurations, this vulnerability could allow unauthenticated and authenticated users to use range query requests to infer instance data that they are not intended to access.
■ Measures
Please apply the security updates provided by ServiceNow in May 2025.
Click here for more details.
CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-3648
Vendor Information
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567
Contact information regarding this matter
● SB Technology Corp. Public Relations Department
E-mail: sbt-press@tech.softbank.co.jp