Review suspicious activity (June 2, 2026)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi all,
Is anyone else having trouble determining what happened on their upgraded instances in Australia on June 2, 2026? We’ve received logs from ServiceNow, but reviewing such a large volume of data is time-consuming. Also, since the issue was caused by a vulnerability in the upgraded ServiceNow instances, is it really our responsibility to analyze all these logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
Hi @elf
Raise a case (Hi Ticket) with your Servicenow Vendor. They will analysis the log and will let you know the reason ( if any issue happened during upgrade) , what was the root cause.
In any case of any concern (escalation), reach out to your Servicenow Account Executive.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
It seems to be that there was a serious security issue (until june 5?) where unauthenticated users where able to access the sys_user table. This concerns only the Australia release.
If any unauthenticated activities really happened, you might be able to get from the node logs... though those are massive. Perhaps AI can help you on that 😅
Kind regards,
Mark Roethof
Independent ServiceNow Consultant
10x ServiceNow MVP
---
~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Any table accessible from the global scope was exposed. But you'd most likely see a larger volume of calls to the api as the data was exposed by inference from the results.
If you don't have inbound logging on in prod then you can't see the body in the request from the node logs and can't tell what was exposed.