← Back to CVEs
CVE-2024-4879
CRITICALCISA KEV9.8
Description
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published7/10/2024
Last Modified11/3/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorServiceNow
ProductUtah, Vancouver, and Washington DC Now Platform
Vulnerability NameServiceNow Improper Input Validation Vulnerability
KEV Date Added2024-07-29
Remediation Due Date2024-08-19
Ransomware UseUnknown
Affected Products
servicenow:servicenow
Weaknesses (CWE)
CWE-1287
References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293(psirt@servicenow.com)
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154(psirt@servicenow.com)
https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit(psirt@servicenow.com)
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293(af854a3a-2127-422b-91ae-364da2661108)
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154(af854a3a-2127-422b-91ae-364da2661108)
https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4879(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.