In June 2026, a critical broken access control vulnerability was identified in ServiceNow hosted instances, allowing unauthenticated actors to gain unauthorized access to customer environments, likely via API exploitation. The flaw permitted potential data exposure and administrative access. While ServiceNow deployed a security update on June 5, 2026, to mitigate the risk, the incident was complicated by bug bounty researchers whose testing triggered security alerts in several organizations, creating false-positive breach notifications. Organizations should audit API logs for anomalous unauthenticated calls and unauthorized administrative activity to determine if their specific instance was compromised prior to patching.
-
Vulnerability Overview: Unauthenticated Access
- Flaw categorized as Broken Access Control within the ServiceNow SaaS platform.
- Permitted unauthorized actors to bypass authentication mechanisms to access customer instances.
- Primary attack vector is suspected to be via public-facing API endpoints.
-
Technical Mechanics & Exploitation
- Attackers could potentially execute API calls without valid credentials to retrieve sensitive internal data.
- Suspected escalation paths allowed for deeper environment access, potentially reaching administrative levels.
- Exploitation was observed in the wild, though specific exploit payloads remain undisclosed by the vendor.
-
Incident Complexity & Impact
- Potential exposure of sensitive customer data across multiple hosted (SaaS) instances.
- High incident response overhead for customers misidentifying legitimate bug bounty research as malicious activity.
- Limited vendor disclosure has obscured the total number of impacted customers and the identity of malicious threat actors.
-
Detection & Mitigation Strategies
- ServiceNow applied a mandatory security update to all hosted instances on June 5, 2026.
- Security teams should review logs for unusual unauthenticated API requests and anomalous data egress patterns.
- Audit administrative access logs for unauthorized accounts or unexpected privilege escalations occurring prior to June 5.
-
Conclusion & Strategic Outlook
- The event highlights the systemic risk of API-based access control failures in multi-tenant SaaS environments.
- The overlap between bug bounty activity and actual exploitation emphasizes the need for higher-fidelity telemetry to distinguish intent.
Related posts
- Cisa
- bleepingcomputer.com — ServiceNow discloses security incident exposing customer data
- feeds.feedburner.com — ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
- techcrunch.com — Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations
- SC Media — ShinyHunters gang targets Oracle PeopleSoft servers in data theft attacks
- bleepingcomputer.com — Nottingham University data breach affects over 450,000 students
- Nationalcioreview
- Bleepingcomputer
- Rescana
- Thecyberexpress
- Techradar
- helpnetsecurity.com — Oracle PeopleSoft servers under attack, Oracle pushes out-of-band security alert
- The Record by Recorded Future — University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft
- Mandiant Blog — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- Socdefenders
- Rescana
- News
- Cvefeed
- Nvd
- fieldeffect.com — ShinyHunters target Oracle PeopleSoft in large-scale data theft campaign
- feeds.feedburner.com — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
- simplysecuregroup.com — Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
- Oracle
- Cve
- Tenable
- Pathlock
- Aiweekly
- Triskelelabs
- Securityaffairs
- Itpro
- Securityweek
- Timeshighereducation
- rapid7.com — Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
- Integrity360
- cybersecuritydive.com — ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft
- cyberscoop.com — ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
- Malware News — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- Securityaffairs
- Security Affairs
- falconinternet.net — Oracle PeopleSoft Zero-Day (CVE-2026-35273): 100+ Orgs Breached Before a Patch Existed
- Socdefenders
- Exchange
- Cmitsolutions
- Blackkite
- Horizon3
- Esentire
- Cybersecurity News — Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence
- Securityonline
- Cyberpress
- Github
- Cyberinsider
- techjacksolutions.com — Widget Factory Joomla Content Editor - Widget Factory Joomla Content Editor Improper Access Control Vulnerability
- bleepingcomputer.com — Kodak confirms data breach claimed by ShinyHunters extortion gang
- Security Affairs
- Securityboulevard
- Cybersecuritynews
- Techjacksolutions
- Safestate
- Arcticwolf
- Cyberpress
- Rodtrent
- Securityonline
- Vuldb
- Mallory
- Tenable
- Pentest-tools
- Beazley
- Nvd
- Cve
- SecurityWeek — Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
- SecurityWeek — Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
- Dark Reading — ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed