CVE-2024-8923

CRITICAL

ServiceNow - Unauthenticated Remote Code Execution

Title source: llm

Description

ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.

References (1)

Core 1

Core References

Vendor Advisory

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1706070

Scores

CVSS v3 9.8

EPSS 0.0111

EPSS Percentile 61.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

servicenow/servicenow xanadu early_availability (2 CPE variants)

servicenow/servicenow washington_dc (18 CPE variants)

servicenow/servicenow vancouver (30 CPE variants)

Published Oct 29, 2024

Tracked Since Feb 18, 2026