%202%20(1).svg)
Securing the Invisible Middleware: How Siemba Hardened an Enterprise AI-to-ServiceNow Integration
The middleware connecting your AI to your IT infrastructure is the highest-stakes, most overlooked attack surface in your organization.
CLIENT
Enterprise ITSM Automation Provider
INDUSTRY
IT Operations / ServiceNow Ecosystem
"ServiceBridge was invisible by design - that was the point. Siemba was the first team to treat that invisibility as a risk. The OAuth findings alone would have given an attacker administrative control of our entire IT infrastructure."
Full Integration Hardened End-to-End
Critical Vulnerabilities Found in the Integration Layer
Data Exfiltration Paths Identified via ServiceNow API
The Attack Surface Hidden in Plain Sight: An Enterprise AI Integration Story
KEY SOLUTIONS
THE SCENARIO
When AI Gets the Keys to IT Infrastructure
The client had built ServiceBridge, a Model Context Protocol (MCP) server acting as the bridge between their AI interface (OpenWebUI) and ServiceNow. Instead of engineers manually working through dashboards, the AI could autonomously file high-priority incidents, query and patch vulnerability records, and automate CMDB updates.
The server handled complex OAuth token propagation, ensuring that when the AI acted, it acted as the human user. This was elegant engineering. It was also a trust boundary that had never been stress-tested by an adversary.
THE THREAT
The Stakes: Administrative Control of IT Infrastructure
If this middleware layer is compromised, an attacker does not just get data. They get the ability to shut down servers, corrupt the CMDB, and manipulate the organization's entire IT management workflow, all through the AI, acting as a legitimate user.
Two distinct risk categories defined this engagement:
- Token Integrity - could a malicious actor intercept or replay OAuth tokens to impersonate an administrator? Could expired or revoked tokens be manipulated to maintain access?
- Logic Bypasses - could the agent be forced to execute tool calls that violated business rules? For example: closing a critical vulnerability without a fix in place, or creating incidents with invalid parameters that downstream systems would blindly process?
What if knowing the right words gave a vendor admin access to your entire infrastructure?
Most teams find out from an attacker. Some find out from Siemba.
Book a DemoTHE TEST
Deep Dive: GenPT Hammers, PTaaS Audits
Siemba executed a "Deep Dive" assessment - GenPT automated adversarial testing of the MCP communication layer at scale, while PTaaS experts audited the complex authentication flows that automated tools routinely miss. Neither approach alone would have found everything.
JSON-RPC fuzzing (GenPT)
GenPT inspected raw messages between the AI client and ServiceNow server, autonomously injecting malformed data to test whether the server would crash, reveal stack traces, or silently accept invalid business logic payloads, including incidents with critical priority but no description.
OAuth stress testing (PTaaS)
The team simulated token expiry, revocation, and manipulation scenarios. They specifically tested whether a user with "Read Only" ServiceNow permissions could trick the MCP server into performing "Write" actions, a flaw that would be invisible to any code-level scanner.
Code-assisted logic audit (PTaaS)
Siemba's experts traced the exact data path from every "Tool Call" entry point to ServiceNow API execution, identifying points where the server blindly trusted the AI's intent without performing independent verification of the request's legitimacy.
.png "Findings_CS3 (2)")
THE FIX
From Trusted Blindly to Verified Cryptographically
F-01 - Server-Side Validation
All data received from the AI agent is now cryptographically verified server-side before it touches ServiceNow, regardless of what the agent transmits. The server no longer assumes well-formed input.
F-02 - Cryptographic OAuth Scope Binding
Every tool call is now cryptographically bound to the specific user's OAuth scope. Privilege escalation via API structure knowledge is impossible, the authorization check is independent of the request format.
F-03 - Token Propagation Hardening
Race conditions in the token refresh logic were eliminated. Long-running AI tasks now maintain stable, secure sessions throughout, with no windows of opportunity for token manipulation or session hijacking.
THE LESSON
Ease of Use Cannot Come at the Cost of Security
ServiceBridge is invisible by design, it sits between the AI interface and the IT infrastructure, silently orchestrating high-stakes actions. That invisibility is precisely what makes it dangerous. The middleware that nobody watches is the middleware attackers target first.
This engagement proved that ease of use and enterprise-grade security are not mutually exclusive. AI-driven IT automation can be both seamlessly usable and rigorously hardened, but only if the integration layer is treated as a first-class security boundary, not an afterthought.
"The insights from Siemba didn't just point out what we needed to fix, they taught us how to think about security in a more sophisticated and proactive way. This has significantly propelled us forward, making our approach to cybersecurity more robust and better prepared to face the challenges ahead."
Is Your AI Middleware the Weakest Link?
The integration between your AI and your systems is your highest-risk, most overlooked attack surface. Siemba tests it before attackers find it.
Book a Demo