← Back to Daily Briefing

In June 2026, a critical broken access control vulnerability was identified in ServiceNow hosted instances, allowing unauthenticated actors to gain unauthorized access to customer environments, likely via API exploitation. The flaw permitted potential data exposure and administrative access. While ServiceNow deployed a security update on June 5, 2026, to mitigate the risk, the incident was complicated by bug bounty researchers whose testing triggered security alerts in several organizations, creating false-positive breach notifications. Organizations should audit API logs for anomalous unauthenticated calls and unauthorized administrative activity to determine if their specific instance was compromised prior to patching.

  • Vulnerability Overview: Unauthenticated Access

    • Flaw categorized as Broken Access Control within the ServiceNow SaaS platform.
    • Permitted unauthorized actors to bypass authentication mechanisms to access customer instances.
    • Primary attack vector is suspected to be via public-facing API endpoints.
  • Technical Mechanics & Exploitation

    • Attackers could potentially execute API calls without valid credentials to retrieve sensitive internal data.
    • Suspected escalation paths allowed for deeper environment access, potentially reaching administrative levels.
    • Exploitation was observed in the wild, though specific exploit payloads remain undisclosed by the vendor.
  • Incident Complexity & Impact

    • Potential exposure of sensitive customer data across multiple hosted (SaaS) instances.
    • High incident response overhead for customers misidentifying legitimate bug bounty research as malicious activity.
    • Limited vendor disclosure has obscured the total number of impacted customers and the identity of malicious threat actors.
  • Detection & Mitigation Strategies

    • ServiceNow applied a mandatory security update to all hosted instances on June 5, 2026.
    • Security teams should review logs for unusual unauthenticated API requests and anomalous data egress patterns.
    • Audit administrative access logs for unauthorized accounts or unexpected privilege escalations occurring prior to June 5.
  • Conclusion & Strategic Outlook

    • The event highlights the systemic risk of API-based access control failures in multi-tenant SaaS environments.
    • The overlap between bug bounty activity and actual exploitation emphasizes the need for higher-fidelity telemetry to distinguish intent.

Related posts

  1. Cisa
  2. bleepingcomputer.com — ServiceNow discloses security incident exposing customer data
  3. feeds.feedburner.com — ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
  4. techcrunch.com — Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations
  5. SC Media — ShinyHunters gang targets Oracle PeopleSoft servers in data theft attacks
  6. bleepingcomputer.com — Nottingham University data breach affects over 450,000 students
  7. Nationalcioreview
  8. Bleepingcomputer
  9. Rescana
  10. Thecyberexpress
  11. Reddit
  12. Techradar
  13. helpnetsecurity.com — Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert
  14. The Record by Recorded Future — University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft
  15. Mandiant Blog — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
  16. Socdefenders
  17. Rescana
  18. News
  19. Reddit
  20. Cvefeed
  21. Nvd
  22. fieldeffect.com — ShinyHunters target Oracle PeopleSoft in large-scale data theft campaign
  23. feeds.feedburner.com — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
  24. simplysecuregroup.com — Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
  25. Oracle
  26. Cve
  27. Tenable
  28. Pathlock
  29. Aiweekly
  30. Triskelelabs
  31. Securityaffairs
  32. Itpro
  33. Securityweek
  34. Timeshighereducation
  35. rapid7.com — Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
  36. Integrity360
  37. cybersecuritydive.com — ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft
  38. cyberscoop.com — ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
  39. Malware News — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
  40. Securityaffairs
  41. Security Affairs
  42. falconinternet.net — Oracle PeopleSoft Zero-Day (CVE-2026-35273): 100+ Orgs Breached Before a Patch Existed
  43. Socdefenders
  44. Exchange
  45. Cmitsolutions
  46. Blackkite
  47. Horizon3
  48. Esentire
  49. Cybersecurity News — Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
  50. Securityonline
  51. Cyberpress
  52. Github
  53. Cyberinsider
  54. techjacksolutions.com — Widget Factory Joomla Content Editor - Widget Factory Joomla Content Editor Improper Access Control Vulnerability
  55. bleepingcomputer.com — Kodak confirms data breach claimed by ShinyHunters extortion gang
  56. Security Affairs
  57. Securityboulevard
  58. Cybersecuritynews
  59. Techjacksolutions
  60. Safestate
  61. Arcticwolf
  62. Cyberpress
  63. Rodtrent
  64. Securityonline
  65. Vuldb
  66. Mallory
  67. Tenable
  68. Pentest-tools
  69. Beazley
  70. Nvd
  71. Cve
  72. SecurityWeek — Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
  73. SecurityWeek — Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
  74. Dark Reading — ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed

LINK COPIED TO CLIPBOARD