ServiceNow Now Assist AI Agents Vulnerable to Second-Order Prompt Injection Attacks
Security researchers have identified that ServiceNow's Now Assist generative AI platform is susceptible to second-order prompt injection attacks due to its default agent-to-agent discovery and collaboration features. Attackers can exploit these configurations to manipulate benign AI agents into recruiting other agents with broader privileges, enabling unauthorized actions such as data exfiltration, record modification, privilege escalation, and sending emails, all without the victim organization's awareness. The vulnerability is not a flaw in the AI itself but stems from expected behavior defined by default configuration options, which are often overlooked by administrators.
The research, conducted by AppOmni, highlights that even with built-in prompt injection protections enabled, malicious prompts embedded in accessible content can trigger a chain reaction among agents. The system's inability to distinguish between trusted instructions and untrusted data, combined with the orchestrator's role in assigning tasks, increases the risk in multi-agent environments. The issue is exacerbated by the fact that large language models prioritize task completion, making them susceptible to treating maliciously crafted text as legitimate instructions, thereby allowing attacks to bypass existing security controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ServiceNow adds scoped-permission 'AI user' option for agents
ServiceNow introduced a capability to run AI agents under a dedicated 'AI user' with scoped permissions, improving control over agent authority. This change addressed prior difficulty in limiting agent privileges and reduced the impact of prompt-injection abuse.
Researchers demonstrate privilege escalation via malicious ticket content
In a proof-of-concept attack, a low-privileged user placed malicious instructions in a ticket that were later processed by ServiceNow orchestration components. This caused unauthorized actions including data access and privilege escalation across a multi-agent workflow.
AppOmni identifies prompt-injection risk in ServiceNow Now Assist agents
AppOmni researchers discovered that AI agents in ServiceNow's Now Assist platform could be manipulated through second-order prompt injection, even when protections were enabled. The issue stemmed from default settings that allowed agent discovery and agent-to-agent communication, enabling lower-privileged agents to influence higher-privileged ones.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ServiceNow AI Agents Can Be Tricked Into Acting Against Each Other via Second-Order Prompts
thehackernews.com
Open sourceMisconfigured AI Agents Let Attacks Slip Past Controls
bankinfosecurity.com
Open sourceMisconfigured AI Agents Let Attacks Slip Past Controls
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ServiceNow AI Platform Flaw (CVE-2025-12420) Enables Unauthenticated User Impersonation
ServiceNow disclosed and remediated a **critical** vulnerability in its AI Platform, tracked as **CVE-2025-12420** (CVSS **9.3**), that could allow an **unauthenticated attacker to impersonate legitimate users** and perform actions with the victim’s entitlements. The issue impacts ServiceNow AI features including **Now Assist AI Agents** and the **Virtual Agent API**; ServiceNow reported deploying fixes to most hosted instances in October 2025 and providing updates to partners and self-hosted customers, and stated it has **no evidence of exploitation** prior to remediation. Research associated with the disclosure highlighted broader risks in enterprise AI agent deployments, including the potential for **second-order prompt injection** when default settings and agent-to-agent capabilities (e.g., *agent discovery*) are not tightly controlled. In testing described by the reporting, low-privileged users could embed malicious instructions into data fields later processed by higher-privileged AI agents, potentially leading to unauthorized access or changes; customers were advised to upgrade to patched releases (including *Now Assist AI Agents* `5.1.18+` / `5.2.19+` and *Virtual Agent API* `3.15.2+` / `4.0.4+`) and to apply relevant security updates across hosted and self-managed environments.
Mar 21, 2026
Prompt Injection Vulnerabilities in Microsoft Copilot Studio AI Agents
Security researchers demonstrated that Microsoft Copilot Studio's no-code AI agent platform is susceptible to prompt injection attacks, allowing unauthorized access to sensitive business data. By leveraging the platform's ease of use, even non-technical employees can create AI agents that integrate with critical business systems such as SharePoint, Outlook, and Teams. In controlled tests, researchers were able to extract customer credit card information and manipulate booking systems to create fraudulent transactions, such as booking a $0 vacation, by issuing carefully crafted prompts to the AI agents. The core risk arises from the democratization of AI agent creation, which, while boosting productivity, also increases the attack surface for organizations. The lack of technical safeguards and the inherent vulnerabilities of large language models (LLMs) make it easy for attackers or even well-meaning users to bypass intended security controls. Experts warn that these agentic tools, if not properly secured, can lead to significant data exposure and workflow hijacking, underscoring the urgent need for robust security practices and oversight when deploying AI-powered automation in business environments.
Mar 21, 2026
Indirect Prompt Injection and Data Exfiltration Risks in Enterprise AI Agents
Security researchers warned that **AI agents and retrieval-augmented generation (RAG) systems** can be turned into data-exfiltration channels when attackers poison inputs or embed malicious instructions in content the model is expected to process. One report described a **0-click indirect prompt injection** against *OpenClaw* agents in which hidden instructions cause the agent to generate an attacker-controlled URL containing sensitive data such as API keys or private conversations in query parameters; messaging platforms like *Telegram* or *Discord* can then automatically request that URL for link previews, silently delivering the data to the attacker. The same reporting noted concerns about insecure defaults that allow agents to browse, execute tasks, and access local files, expanding the blast radius of prompt-injection abuse. Related analysis highlighted that the same core weakness extends beyond standalone agents to **enterprise RAG deployments**, where the integrity of the knowledge base becomes part of the security boundary. If attackers can poison indexed documents in systems such as SharePoint or Confluence, they can manipulate retrieval results and influence model outputs, including security workflows and analyst guidance. Broader commentary on **agentic AI threat convergence** reinforced that prompt engineering is no longer just a productivity technique but an emerging exploit class, with adversaries using prompt injection and context manipulation against AI-enabled security operations. Together, the reporting shows that enterprise AI risk increasingly depends on controlling untrusted content, hardening agent permissions, and treating prompts, retrieved documents, and downstream integrations as attack surfaces.
May 7, 2026