CVE-2025-3648, codenamed “Count(er) Strike,” is a high-severity flaw in the ServiceNow platform that lets attackers, even without full access, quietly piece together sensitive information like user data or internal configurations. The issue lies in how ServiceNow handles certain access controls under specific conditions, it unintentionally reveals how many records match a search, even if users aren’t allowed to see the data itself. By using clever filter tricks, attackers can slowly infer restricted details, character by character. While no active attacks have been reported yet, the vulnerability is easy to exploit, making it crucial for organizations to update ServiceNow and review their ACL settings right away.
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox
