Review suspicious activity (June 2, 2026)

elf
Tera Contributor

Hi all,

Is anyone else having trouble determining what happened on their upgraded instances in Australia on June 2, 2026? We’ve received logs from ServiceNow, but reviewing such a large volume of data is time-consuming. Also, since the issue was caused by a vulnerability in the upgraded ServiceNow instances, is it really our responsibility to analyze all these logs?

3 REPLIES 3

Tanushree Maiti
Tera Patron

Hi @elf 

 

Raise a case (Hi Ticket) with your Servicenow Vendor. They will analysis the log and will let you know the reason  ( if any issue happened during upgrade) , what was the root cause.

 

In any case of any concern (escalation),  reach out to your Servicenow Account Executive.

 

 

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti

Mark Roethof
Tera Patron

It seems to be that there was a serious security issue (until june 5?) where unauthenticated users where able to access the sys_user table. This concerns only the Australia release.

 

If any unauthenticated activities really happened, you might be able to get from the node logs... though those are massive. Perhaps AI can help you on that 😅

 

Screenshot (897).png

 

Kind regards,

 

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

 

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

LinkedIn

Any table accessible from the global scope was exposed. But you'd most likely see a larger volume of calls to the api as the data was exposed by inference from the results.

If you don't have inbound logging on in prod then you can't see the body in the request from the node logs and can't tell what was exposed.