On June 5, ServiceNow quietly pushed a patch for a bug that let anyone on the internet read customer data without so much as a password. No credentials required — just a curl command and a target instance.
The Bug: Unauthenticated Access to Customer Instances
ServiceNow confirmed in a knowledge base article (since hidden behind a login wall, but shared on Reddit) that the bug allowed unauthenticated users to "gain greater access" to hosted data than intended. The company says it affected Australian customer instances, but Reddit users outside Australia report evidence of external access to their own instances. Network defenders have already pinned an indicator of compromise: IP address 51.159.98.241.
Given that the bug required no authentication, customers couldn't have locked it down themselves. ServiceNow had to fix it on their end. That's a serious trust gap when your platform holds IT and HR workflows — the kind of systems that store passwords, keys, and credentials inside support tickets.
The Silence After the Patch
ServiceNow hasn't answered basic questions: How many customers were exposed? How long was the bug active? Did any group exploit it? A TechCrunch request for comment went unanswered. The patch is live, but the damage assessment is still vapor.
What ServiceNow Customers Should Do Now
If you're a ServiceNow customer, pull your instance logs and search for 51.159.98.241. That IP is the only known fingerprint of potential compromise. Without a disclosure from ServiceNow, that's the best you've got. Expect more details to trickle out as security researchers and affected customers compare notes on Reddit and elsewhere.
Until ServiceNow releases a full incident report — or at least answers how long the data was exposed — every customer should treat this as an active threat. No authentication required, just a bug that should never have shipped.
Source: ServiceNow tells customers a bug left some of their data exposed to the internet
Domain: techcrunch.com
Comments load interactively on the live page.