ServiceNow Addresses Authorization Bypass Vulnerability in Now Platform (CVE-2025-0337)

ServiceNow’s Now Platform is a cornerstone for enterprise IT management, automation, and digital workflows. However, a recently disclosed authorization bypass vulnerability (CVE-2025-0337, CVSS 7.1) in its Washington release raises concerns about potential unauthorized access to sensitive data.

ServiceNow has confirmed that this vulnerability, if exploited, could allow an authenticated user to access restricted data, bypassing intended access controls.

According to the official advisory: “This vulnerability, if exploited, potentially could enable an authenticated user to access data stored within the Now Platform that the user otherwise would not be entitled to access.”

While CVE-2025-0337 does not allow unauthenticated remote access, the flaw weakens internal data security, potentially exposing sensitive records within IT service management (ITSM), customer relationship management (CRM), and other critical business processes managed by ServiceNow.

As ServiceNow is widely used across Fortune 500 companies, government agencies, and IT service providers, any vulnerability affecting data security could have far-reaching consequences.

The vulnerability has been patched in the Washington DC Patch 9, Xanadu Patch 4, and Yokohama General Availability (Patch 1) releases. ServiceNow has made these patches available to all hosted and self-hosted customers, as well as partners.

ServiceNow urges all customers to apply the necessary patches as soon as possible to mitigate the risk of exploitation. Customers can obtain the patches through their usual update channels or by contacting ServiceNow support.

Rate this post

Tags: CVE-2025-0337 ServiceNow

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply