According to public reports, the activity appears to be associated with a Scripted REST Resource endpoint (/api/now/related_list_edit/create) that was allegedly configured with requires_authentication = false, potentially allowing unauthenticated access to backend functionality. Security researchers and affected customers have reported observing requests originating from IP address 51.159.98.241, with multiple instances recording successful access attempts against the endpoint. Because requests were processed without an authenticated user context, activity may have been logged under the Guest user account, complicating attribution and detection efforts.
ServiceNow stated that the issue affected customer instances running the Australia release or environments that had adopted certain pre-release configuration changes. The company reported observing successful table queries in a subset of customer environments and indicated that affected customers were notified directly. At the time of publication, details regarding the full scope of data exposure and exploitation remain limited.