ServiceNow shares fell Tuesday after the company disclosed a security incident in which attackers exploited an open API endpoint to query customer instance data, capping a four-day lag between patching and public disclosure.
ServiceNow applied a security fix on June 5, then warned affected customers four days later through a support bulletin that sits behind the company’s own login portal. Reddit administrators said the issue appeared tied to the endpoint /api/now/related_list_edit/create; one commenter claimed the endpoint shipped with requires_authentication set to false, potentially allowing unauthenticated requests to query customer instance tables.
ServiceNow confirmed attackers successfully queried those tables for a subset of customers. It won’t disclose what data was taken, but those instances routinely hold IT support tickets, employee records, API tokens, and credentials engineers paste in during troubleshooting. A single helpdesk queue can contain enough secrets to pivot into a cloud environment or an identity provider.
The four-day gap between patching and public disclosure is where the regulatory clock ticks. The SEC’s cybersecurity rules require public companies to report material incidents within four business days of determining materiality. ServiceNow patched on June 5 and disclosed on June 9, which fits the window on paper, but the materiality clock starts at determination, not remediation. No 8-K has been filed as of Tuesday.
The incident primarily affects customers on the Australia platform release or older builds with specific configuration changes. Administrators who haven’t received a ServiceNow support case aren’t believed to be affected. Those who are should review logs for requests to /api/now/related_list_edit from IP 51.159.98.241.
No CVE issued. ServiceNow says it’s still evaluating.
Marcus Webb