CVE-2025-3648

Name of the Vulnerable Software and Affected Versions: Now Platform versions prior to March 2025 Now Platform versions prior to September 2024

Description: A vulnerability exists within the Now Platform that could allow unauthorized data inference. Under specific configurations of conditional Access Control Lists (ACLs), authenticated and unauthenticated users may be able to utilize range query requests to access instance data they are not authorized to view. The vulnerability, also known as "Count(er) Strike", allows low-privileged users to bypass ACLs and extract sensitive data. Exploitation occurs through URL filters and requires minimal access to target tables. The vulnerability could potentially expose Personally Identifiable Information (PII), credentials, and financial information.

Recommendations: Now Platform versions prior to March 2025: Apply the security update released in March 2025 to enhance ACL configurations. Now Platform versions prior to September 2024: Apply the security update released in September 2024 to enhance ACL configurations. Review and properly configure Access Control Lists (ACLs) to prevent unauthorized data access.