I would argue that ServiceNow as a singular component is flawed. It could be several applications on a single instance: Vulnerability Response, Security Incident Response, IT Service Management, IT Operations management, Vendor Risk Management, CMDB, etc.

I actually think in some instances, this vulnerability is considerably worse due the information it provides. User contact information, an inventory of the security vulnerabilities across the organization, applications & versions, Server information, etc. The social engineering issues are massive since they can spoof from essentially your service desk.

Often times ServiceNow has access to other subsystems. Midservers, provisioning tools, monitoring systems, desktop orchestration tools. These systems are often used to handle the response & monitoring. The ServiceNow teams are often understaffed and underskilled.

I've only been thinking about this for the last hour, but compromise 1 account (and I can think of at least 5 different ways that could happen) and a hacker could have:

- a complete topology of your infrastructure

- your active security vulnerabilities

- contact information for your entire company

- a very convincing spoofing method

- the ability to remotely install software on customer desktops

- the ability to monitor your response to security issues

- access to your provisioning tools

This kind of attack could go undetected for years. God forbid ServiceNow's internal instance got compromised. They can remote in to ANY instance.