CVE-2024-5217
Published: 10 July 2024
Summary
CVE-2024-5217 is a critical-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Servicenow Servicenow. Its CVSS base score is 9.2 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ServiceNow addressed an input validation vulnerability present in its Now Platform releases Washington DC, Vancouver, and earlier. The flaw, tracked as CVE-2024-5217, permits remote code execution in the context of the platform and carries a CVSS 4.0 score of 9.2.
An unauthenticated attacker with network access can supply crafted input to trigger arbitrary code execution without user interaction or elevated privileges. The associated CWEs (184 and 697) point to failures in input validation and equivalence checks that allow the malicious payload to reach execution.
ServiceNow’s June 2024 security patches and hot fixes resolve the issue; the vendor’s KB articles KB1644293 and KB1648313 list the specific fixed builds and urge customers to apply the relevant updates immediately. Public references also note active exploitation attempts against unpatched instances.
EPSS scores remain elevated, with a current value of 0.9411 and a recorded peak of 0.9616, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46457
Vulnerability details
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability…
more
is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
- CWE(s)
- KEV Date Added
- 29 July 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to block the malformed data that enables unauthenticated RCE in the Now Platform.
Mandates prompt application of the June 2024 patches/hotfixes that remediate CVE-2024-5217 before exploitation occurs.
Boundary-protection mechanisms can restrict network-reachable access to the vulnerable ServiceNow instance, limiting unauthenticated attack surface.