| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic was found in ServiceNow Now Platform. This affects an unknown part. The manipulation results in authorization. This vulnerability is reported as CVE-2025-0337. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability classified as problematic has been found in ServiceNow Now Platform (version unknown). Affected is an unknown function. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on confidentiality. CVE summarizes:
ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access. This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.
The weakness was disclosed by Justin Hocquel as KB1948695. The advisory is shared for download at support.servicenow.com. This vulnerability is traded as CVE-2025-0337 since 01/08/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. There are neither technical details nor an exploit publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 232730 (ServiceNow Platform Authorization Bypass (CVE-2025-0337)), which helps to determine the existence of the flaw in a target environment.
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (232730). VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Vendor
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CNA CVSS-B Score: 🔍
CNA CVSS-BT Score: 🔍
CNA Vector: 🔍
CVSSv3
VulDB Meta Base Score: 5.4VulDB Meta Temp Score: 5.3
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 6.5
CNA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: AuthorizationCWE: CWE-639 / CWE-285 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 232730
Nessus Name: ServiceNow Platform Authorization Bypass (CVE-2025-0337)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
01/08/2025 🔍03/06/2025 🔍
03/06/2025 🔍
03/14/2025 🔍
Sources
Advisory: KB1948695Researcher: Justin Hocquel
Status: Confirmed
CVE: CVE-2025-0337 (🔍)
GCVE (CVE): GCVE-0-2025-0337
GCVE (VulDB): GCVE-100-298872
Entry
Created: 03/06/2025 18:23Updated: 03/14/2025 19:27
Changes: 03/06/2025 18:23 (73), 03/14/2025 19:27 (2)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.