Cyber attackers are increasing their efforts to exploit three ServiceNow vulnerabilities that are over a year old, in order to gain access to unpatched company instances, according to recent warnings from security researchers.

On Tuesday, threat intelligence startup GreyNoise published a blog post stating that it had observed a significant resurgence of real-world attacks targeting the three ServiceNow vulnerabilities, identified as CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217.

These vulnerabilities were initially disclosed by researchers at Assetnote in May 2024, and subsequently patched by ServiceNow a few months later, in July 2024.

According to GreyNoise, all three vulnerabilities have experienced a resurgence in targeted exploitation attempts over the past week. Although the identities of those behind this recent wave of attacks are unknown, GreyNoise reported that 70% of the malicious activity it detected in the past week targeted systems located in Israel, with additional activity observed in Germany, Japan, and Lithuania.

As previously noted by Assetnote, GreyNoise confirms that the vulnerabilities can be combined to achieve full access to the database of affected ServiceNow instances. Many organizations utilize the ServiceNow platform to store sensitive employee data, including personally identifiable information and HR records related to employment.

A ServiceNow spokesperson, Erica Faltous, informed TechCrunch that the company was first made aware of the vulnerabilities nearly a year ago, and to date, no customer impact from an attack campaign has been observed.

Following Assetnote’s disclosure of the vulnerabilities last year, U.S. security firm Resecurity warned that foreign threat actors had attempted to exploit the three ServiceNow vulnerabilities to target both private sector companies and government agencies globally.

Resecurity reported witnessing targeted attempts at an energy company, a data center organization, a Middle Eastern government agency, and a software development company.

Cybersecurity company Imperva released another report in July 2024, warning that it had also observed exploitation attempts across 6,000 sites spanning various industries, with a particular focus on the financial services sector.