CVE-2024-5217

What is ServiceNow GlideExpression?

ServiceNow is a cloud-based enterprise service management platform used by thousands of large organizations for ITSM, HR workflows, and business process automation. GlideExpression is a ServiceNow scripting framework that evaluates dynamic expressions and scripts within the platform — for example, to calculate field values, apply business rules, and drive workflow logic. GlideExpression scripts run with platform-level privileges and can access the full ServiceNow data model, making a server-side injection into the GlideExpression evaluator a high-impact code execution primitive.

Overview

CVE-2024-5217 is an incomplete denylist vulnerability in the GlideExpression scripting component of ServiceNow's Now Platform that allows an unauthenticated remote attacker to execute arbitrary code on the platform. The denylist approach to blocking dangerous script patterns — rather than a robust allowlist or sandboxed evaluation — was bypassed, enabling injection through patterns not covered by the blocklist. Disclosed July 10, 2024 alongside CVE-2024-4879 (Jelly template injection), both were exploited together in active campaigns targeting internet-accessible ServiceNow instances. CISA added both to the KEV catalog on July 29, 2024.

Affected Versions

Consult KB1648313 for the specific hotfix for your release version.

Technical Details

CWE-184 (Incomplete List of Disallowed Inputs). ServiceNow's GlideExpression evaluator used a denylist to block dangerous expression patterns from being evaluated server-side. An incomplete denylist can always be bypassed: attackers identified patterns not covered by the blocklist that, when submitted by an unauthenticated user, were passed to the GlideExpression evaluator and executed as server-side code with platform privileges.

GlideExpression scripts have access to ServiceNow's internal APIs and can:

• Read and write any data in the ServiceNow database (user records, tickets, configurations)
• Execute server-side JavaScript with platform-level permissions
• Interact with integrations and workflows

CVE-2024-5217 and CVE-2024-4879 represent two different injection vectors into the same platform's server-side evaluation — both were used in observed attack campaigns, and ServiceNow patched them simultaneously.

Discovery

Reported to ServiceNow through coordinated disclosure. Patches were released on July 10, 2024. Security researchers and threat intelligence teams observed active exploitation of both CVEs shortly after public disclosure.

Exploitation Context

Exploitation was observed in the wild alongside CVE-2024-4879, with threat actors targeting internet-accessible ServiceNow instances to extract sensitive organizational data. Observed post-exploitation activity included bulk export of ServiceNow database contents — particularly user tables, incident tickets (often containing embedded credentials and system access details), change management records, and configuration item (CMCI) data. The data exfiltrated from compromised ServiceNow instances provided attackers with detailed organizational intelligence and credentials usable for further network access.

Remediation

1. Apply the ServiceNow hotfix for your release as described in KB1648313.
2. Apply the CVE-2024-4879 patch (KB1645154) simultaneously — both vulnerabilities should be addressed together.
3. Verify patch application via the ServiceNow system update log.
4. Consider restricting ServiceNow instance access to trusted IP ranges or requiring VPN/SSO for external access.
5. Audit system logs for unauthorized script execution or mass data access patterns indicating prior exploitation.