ServiceNow Patches CVE-2026-6875 Unauthenticated RCE in AI Platform

ServiceNow patched CVE-2026-6875, a CVSS 9.5 unauthenticated remote code execution flaw in its AI platform; hosted instances auto-patched, self-hosted require manual update.
Table of Contents
    Add a header to begin generating the table of contents

    ServiceNow disclosed and patched CVE-2026-6875, a CVSS 9.5 critical unauthenticated remote code execution vulnerability in the ServiceNow AI platform — the enterprise IT service management and workflow automation system deployed across thousands of large enterprises and government agencies. An attacker with network access to a vulnerable ServiceNow instance can execute arbitrary code on the application server without supplying any credentials and without requiring any user interaction.

    CVE-2026-6875: Attack Surface and Patch Deployment for ServiceNow Installations

    ServiceNow’s AI platform manages IT workflows — incident management, asset tracking, HR service delivery, and security operations automation — across major enterprise and government customers. An unauthenticated RCE at CVSS 9.5 means that any attacker who can reach a vulnerable ServiceNow instance over the network can execute code on the underlying application server without establishing any prior authentication context. From that execution position, the attacker can access workflow data, query connected databases, and potentially pivot to integrated systems that share identity or network access with the ServiceNow instance.

    ServiceNow stated it is “not aware of the addressed vulnerabilities being exploited in the wild” as of the advisory’s publication. The absence of confirmed exploitation does not reduce patching urgency for self-hosted customers — critical unauthenticated vulnerabilities in enterprise systems with large customer populations are high-priority targets for threat actors conducting mass scanning campaigns.

    Hosted vs. Self-Hosted ServiceNow Instances and What Auto-Patching Covers

    ServiceNow deployed security updates automatically to hosted instances — the majority of ServiceNow deployments, which run on ServiceNow’s own cloud infrastructure. Customers running on hosted ServiceNow received the fix without manual intervention.

    Self-hosted customers, who operate ServiceNow on their own on-premises or private cloud infrastructure, received the patches through the normal update distribution channel and were directed to apply them immediately. Organizations in this category must confirm that their instance administrators have applied the patch; there is no automatic deployment mechanism for self-hosted environments. Given the unauthenticated nature of CVE-2026-6875, self-hosted instances that are reachable from the internet or from broad internal network segments carry the highest risk during the period before patching is confirmed.

    The distinction between hosted and self-hosted deployment matters operationally. Security teams at organizations running self-hosted ServiceNow should verify patch application and check whether any anomalous code execution activity occurred on the ServiceNow application server before the patch was applied.

    Additional Fortinet and Ivanti Vulnerabilities Disclosed Alongside CVE-2026-6875

    The same advisory cycle that surfaced CVE-2026-6875 included separate disclosures from Fortinet and Ivanti. Fortinet published 12 advisories covering FortiOS, FortiProxy, FortiSASE, FortiSIEM, FortiClient EMS, FortiAuthenticator, FortiPAM, FortiSwitch, and FortiSandbox — all rated high severity, with no active exploitation confirmed as of disclosure. Ivanti disclosed CVE-2026-14902, an open redirect, and CVE-2026-14903, a path traversal, both in Ivanti Xtraction — rated medium and high severity respectively.

    Neither the Fortinet nor Ivanti vulnerabilities disclosed alongside ServiceNow’s advisory include confirmed active exploitation. The July 15 multi-vendor advisory date reflects a coordinated or simultaneous disclosure pattern rather than a single coordinated patch event; each vendor released their advisories on the same calendar date but through separate disclosure and patch processes.

    Why Code Execution in ServiceNow Creates Downstream Risk Beyond ITSM Data

    ServiceNow’s integration footprint in large enterprise environments extends well beyond IT ticketing. The platform connects to identity providers for authentication, to cloud infrastructure management tools, to HR systems containing employee records, and to security operations platforms where it functions as a SOAR hub or ticketing layer for incident response workflows. Code execution on the ServiceNow application server therefore represents potential access to the data ServiceNow processes and to the credentials and integration tokens it uses to communicate with connected systems.

    In enterprise environments that use ServiceNow as a security operations hub — ingesting alerts, managing incident tickets, and coordinating response workflows — a compromised ServiceNow instance could expose active security incidents, incident response playbooks, and the authentication tokens that let ServiceNow call other security tools. This is a qualitatively different risk profile than a compromised ITSM system that handles only IT helpdesk tickets.

    ServiceNow’s automatic patching of hosted instances limits the exposure window for the largest customer population. Organizations running self-hosted deployments should treat CVE-2026-6875 as an emergency patching priority and conduct retrospective log review on the ServiceNow application server to confirm no exploitation preceded the patch deployment.

    Related Posts