CVE-2025-0337

MEDIUM

ServiceNow Now Platform < Washington DC Patch 9, < Xanadu Patch 4, < Yokohama - Authenticated Authorization Bypass

Title source: llm

Description

ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access. This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.

References (1)

Core 1

Core References

Various Sources

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1948695

Scores

CVSS v3 6.5

EPSS 0.0036

EPSS Percentile 27.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

ServiceNow/Now Platform < Washington DC Patch 9

ServiceNow/Now Platform < Xanadu Patch 4

ServiceNow/Now Platform < Yokohama

Published Mar 06, 2025

Tracked Since Feb 18, 2026