πŸ” CVE Alert

CVE-2024-5217

CRITICAL 9.8 ⚠️ CISA KEV

Incomplete Input Validation in GlideExpression Script

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.Β The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

CWE CWE-184
Vendor servicenow
Product now platform
Published Jul 10, 2024
Last Updated Oct 21, 2025
⚠️ Actively Exploited β€” Act Now

Get instant alerts for servicenow now platform

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-5217.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

ServiceNow / Now Platform
0 < Utah Patch 10 Hot Fix 3 0 < Utah Patch 10a Hot Fix 2 0 < Utah Patch 10b Hot Fix 1 0 < Vancouver Patch 6 Hot Fix 2 0 < Vancouver Patch 7 Hot Fix 3b 0 < Vancouver Patch 8 Hot Fix 4 0 < Vancouver Patch 9 Hot Fix 1 0 < Vancouver Patch 10 0 < Washington DC Patch 1 Hot Fix 3b 0 < Washington DC Patch 2 Hot Fix 2 0 < Washington DC Patch 3 Hot Fix 2 0 < Washington DC Patch 4 0 < Washington DC Patch 5

References

NVD β†— CVE.org β†— EPSS Data β†—
support.servicenow.com: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313 support.servicenow.com: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293 darkreading.com: https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217

Credits

Adam Kues Assetnote Attack Surface Management