IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2024-4879|Auth: none — unauthenticated|Reboot: required|Manual only

ServiceNow Improper Input Validation Vulnerability

ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.

Published Jul 10, 2024 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2024-08-19 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Software Vulnerability (CWE-1287) (CWE-1287) vulnerability in ServiceNow Utah, Vancouver, and Washington DC Now Platform. ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running servicenow: utah, vancouver, washington_dc
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

    1
    Vendor advisory: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-4879
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4879
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-4879NVDVendor Advisory