Paul Alkemade
I'm an offensive security engineer based in Melbourne we're I've been hacking away for over six years. When I'm not staring at a computer screen I'm probably stuck out bush trying not to stare at my phone.
Session
ServiceNow is at the center of workflows and platform integrations for roughly 85% of enterprises - yet it rarely charts high as a priority in the pentesting backlog. Instances are generally put togther by "no-code / low-code" citizen developers who rarely have a software-engineering background. Combine all of this with the fact they are tinkering with a 20 year old monolith to plumb together some of your organisations most sensitive data - and you have an incredibly bespoke attack surface, unique to every org.
This talk is a field guide to attacking that surface, how to navigate and dissect a ServiceNow instance to review the custom code and components for critical vulnerabilities. Covering insecure patterns that lead to unauthorized data access, privilege escalation, and even arbitrary code execution.
While this talk isn't aimed at identifying platform level bugs, it reviews CVE-2026-0542, a critical unauthenticated arbitrary code execution vulberabiltiy discovered using the same techniques. This vulnerability was present in default components written by ServiceNow that affected every instance - and the deep dive reveals why customer instances could still harbor their own versions of this.
Defenders leave knowing their actual attack surface and how to reduce it, what to audit in custom code, enabling better logging and monitoring, and awareness of a reporting gap between ServiceNow's own CVEs versus the advisories that go straight to customers — including a public CVE record that still reads "fixed" for a bug class only truly closed by patches much later.
Since most customers get exactly one self-run pentest per calendar year, the goal of this talk is to leave you able to make that one shot really count.