Home

Published

- 7 min read

ServiceNow 'Counter-Strike' Flaw (CVE-2025-3648) Explained

By William OGOU
ServiceNow CVE-2025-3648 Counter-Strike RCE Vulnerability SecOps Path Traversal
img of ServiceNow 'Counter-Strike' Flaw (CVE-2025-3648) Explained

Security researchers at Varonis have uncovered a critical vulnerability in ServiceNow that does just that. Dubbed “Counter-Strike” and tracked as CVE-2025-3648, this flaw allows a low-privilege authenticated user to achieve a full system takeover, creating rogue administrator accounts and gaining unfettered access to the platform’s vast repository of sensitive data.

With a CVSS score of 9.9 (Critical), this isn’t a minor bug. It’s a sophisticated attack path that turns a privileged user’s routine login into the final trigger for a complete compromise. For CISOs and SecOps teams, understanding and acting on this threat is an immediate priority.

The Threat: What is the “Counter-Strike” Vulnerability?

At its core, “Counter-Strike” is a path traversal vulnerability lurking within the Now Support (NS) framework of ServiceNow. The flaw allows an attacker to manipulate a specific system property, glide.entry.first.page.script, which dictates the very first script that runs when a user logs into the platform.

The name “Counter-Strike” is brilliantly apt. The attacker doesn’t storm the castle gates; they subtly lay a trap. They use the vulnerability to replace the legitimate login script with their own malicious payload. Then, they simply wait for a high-privilege user to “strike” by logging in. The moment they do, ServiceNow itself unwittingly executes the attacker’s script with the full authority of that administrator, triggering the devastating counter-attack.

The Kill Chain: From Low-Privilege User to Rogue Admin

The attack’s brilliance lies in its ability to leverage a low-level entry point to achieve a high-level compromise, all while remaining hidden until the final moment.

  1. Initial Access & Reconnaissance: The attacker begins with access to a low-privilege authenticated account on the ServiceNow instance. This could be a basic IT user, a contractor, or any account with minimal permissions.
  2. Setting the Trap: Manipulating the Login Script Property: The attacker exploits the path traversal vulnerability within the v_customer_ns table. This allows them to bypass standard security controls and modify the system property glide.entry.first.page.script. Normally, this property points to a benign script like login_redirect.js. The attacker, however, updates this property to point to a new, malicious script they have uploaded as an attachment to the platform.
  3. The Strike: A Privileged User Logs In: The trap is now set. The attacker waits for an administrator or any other user with high-level privileges to log into the ServiceNow platform. This is the only user interaction required.
  4. The Counter-Strike: Code Execution as a Service: When the privileged user authenticates, ServiceNow consults the (now malicious) glide.entry.first.page.script property to determine what to do next. Instead of the normal login page, it fetches and executes the attacker’s script. Because this script is executed within the context of the logging-in user, it runs with their full administrative permissions.
  5. Full System Compromise: With their code now running as an administrator, the attacker has complete control. The most common post-exploitation step is to use this access to create a new, persistent administrator account, giving them a permanent foothold in the system. From there, they can:
    • Exfiltrate any and all data stored within ServiceNow (incident reports, asset inventories, user information, internal knowledge bases).
    • Modify or disable security workflows and integrations.
    • Use ServiceNow’s orchestration capabilities to push malicious commands to other integrated systems.
    • Create fake IT support tickets to launch sophisticated social engineering attacks against other employees.

The Impact

A compromise of ServiceNow is not just another security incident; it’s a potential business-ending event. Because ServiceNow is so deeply integrated into the enterprise, an attacker with administrative access can:

  • Undermine the Entire Security Program: They can close legitimate security incident tickets, delete evidence of their own activity, and use the platform’s automation to disable other security tools across the network.
  • Access the Crown Jewels: ServiceNow often contains a comprehensive map of an organization’s most critical assets, vulnerabilities, and internal processes—a goldmine for any threat actor.
  • Become the Ultimate Insider Threat: By creating a rogue administrator account, the attacker can operate with impunity, making it incredibly difficult to detect their presence or distinguish their actions from legitimate administrative activity.

Your Action Plan: A 3-Step Guide to Mitigation and Hunting

Given the critical nature of this vulnerability, immediate and decisive action is required.

1. PATCH: The Definitive Solution

ServiceNow has released patches to address CVE-2025-3648. This is the most critical and effective step your team can take. The patch permanently closes the path traversal vulnerability, making the “trap setting” phase of the attack impossible.

Action: Consult the ServiceNow support portal for the specific patch or update relevant to your instance version and deploy it immediately following your change management procedures. Do not delay.

2. HUNT: Proactively Search for Signs of Compromise

Because this vulnerability may have been exploited before you could patch, it is essential to hunt for indicators of compromise.

Action 1: Check the Critical System Property The Varonis research team provided a clear method to check if the glide.entry.first.page.script property has been tampered with.

Navigate to: https://[your-instance].service-now.com/sys_properties_list.do?sysparm_query=name=glide.entry.first.page.script

Examine the Value: The default, legitimate value for this property should be login_redirect.js. If it points to anything else, especially a script in the sys_attachment table, your instance has been compromised.

Action 2: Scan for Malicious Attachments and Admins The Varonis team also recommends querying the underlying database tables directly to look for suspicious activity.

  • Query for Suspicious Attachments: Check the sys_attachment table for any unexpected .js files that are being used as login scripts.
  • Audit Privileged Accounts: Scrutinize the sys_user_has_role table. Look for any recently created accounts that have been granted the “admin” role. Cross-reference these with your change management records to identify any unauthorized or rogue administrator accounts.

3. HARDEN: Long-Term Resilience

Beyond the immediate patch, this vulnerability is a powerful reminder of the need for continuous hardening.

  • Enforce the Principle of Least Privilege: Regularly review all user roles and permissions within ServiceNow. Ensure that users only have the absolute minimum level of access required to perform their jobs.
  • Secure Scripting and Attachments: Tightly control who has the ability to upload attachments that can be executed as scripts. Implement a strict review process for any changes to system-level script properties.
  • Monitor for High-Risk Events: Configure alerts for any changes to critical system properties like glide.entry.first.page.script and for the creation of any new accounts with administrative privileges.

Conclusion: Fortifying Your Digital Nervous System

The “Counter-Strike” vulnerability is a sobering illustration of how a single, well-placed flaw in a business-critical platform can unravel an entire security posture. It demonstrates the sophisticated, multi-stage approach of modern threat actors and reinforces the absolute necessity of proactive patching, continuous monitoring, and a security-first mindset.

By taking immediate action to patch this vulnerability and hunt for any signs of compromise, you can protect your organization’s digital nervous system from a potentially devastating blow.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

ServiceNow “Counter-Strike” FAQ (CVE-2025-3648)

  • What is CVE-2025-3648, or “Counter-Strike”? It is a critical (CVSS 9.9) path traversal vulnerability in ServiceNow that allows an authenticated, low-privilege user to modify a core system property. This enables them to hijack the login process and execute a malicious script with the privileges of the next administrator who logs in, leading to a full system compromise.
  • Is an attacker required to have admin rights to exploit this? No. This is the most dangerous aspect of the vulnerability. The attacker only needs access to any authenticated user account on the instance to set the initial trap.
  • What is the immediate fix? You must install the security patches released by ServiceNow for your specific instance version as soon as possible. This is the only way to permanently fix the vulnerability.
  • How can I check if I’ve already been compromised? The most direct way is to check the glide.entry.first.page.script system property in your ServiceNow instance. Its value should be login_redirect.js. If it’s anything else, you should immediately trigger your incident response plan. Additionally, you should audit for any recently created, unauthorized administrator accounts.
  • Is our ServiceNow instance at risk if it’s not internet-facing? Yes. The attack only requires an authenticated user. This could be an insider threat or an attacker who has compromised a legitimate user’s credentials through other means, such as phishing. The vulnerability is in the application itself, not its network exposure.

Relevant Resource List

  • Varonis Blog: “Counter-Strike: How a Critical ServiceNow Vulnerability Allows Attackers to Create Rogue Admins”
  • The Hacker News: “New ‘Counter-Strike’ Flaw in ServiceNow Could Let Attackers Create Rogue Admins”
  • SecurityBuzz: “Inside the ServiceNow ‘Counter-Strike’ Vulnerability”
  • ServiceNow Support Portal: (For official patches and security advisories)