ServiceNow AI Platform Flaw (CVE-2025-12420) Enables Unauthenticated User Impersonation
ServiceNow disclosed and remediated a critical vulnerability in its AI Platform, tracked as CVE-2025-12420 (CVSS 9.3), that could allow an unauthenticated attacker to impersonate legitimate users and perform actions with the victim’s entitlements. The issue impacts ServiceNow AI features including Now Assist AI Agents and the Virtual Agent API; ServiceNow reported deploying fixes to most hosted instances in October 2025 and providing updates to partners and self-hosted customers, and stated it has no evidence of exploitation prior to remediation.
Research associated with the disclosure highlighted broader risks in enterprise AI agent deployments, including the potential for second-order prompt injection when default settings and agent-to-agent capabilities (e.g., agent discovery) are not tightly controlled. In testing described by the reporting, low-privileged users could embed malicious instructions into data fields later processed by higher-privileged AI agents, potentially leading to unauthorized access or changes; customers were advised to upgrade to patched releases (including Now Assist AI Agents 5.1.18+ / 5.2.19+ and Virtual Agent API 3.15.2+ / 4.0.4+) and to apply relevant security updates across hosted and self-managed environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
AppOmni publicly disclosed 'BodySnatcher' exploit details and PoC
AppOmni publicly released research on the 'BodySnatcher' exploit chain, detailing how an attacker could impersonate any user with only an email address and then abuse AI agents to gain administrative access. The disclosure included technical root-cause analysis and a proof-of-concept attack path.
ServiceNow updated documentation for broader AI configuration risks
Beyond the core impersonation flaw, ServiceNow said certain prompt-injection-related behaviors identified by AppOmni were intentional design choices and updated its documentation to clarify configuration options and mitigations. The exact date is not stated, but this was disclosed alongside the January 2026 reporting.
CVE-2025-12420 entry was published with critical severity
The CVE record for CVE-2025-12420 was published with a CVSS v4.0 score of 9.3, describing an unauthenticated user-impersonation vulnerability in the ServiceNow AI Platform. The entry cited ServiceNow PSIRT and noted prior remediation in October 2025.
ServiceNow published security advisory for CVE-2025-12420
ServiceNow published a security advisory for CVE-2025-12420 describing the privilege-escalation issue in its AI Platform and directing customers to relevant fixes and upgraded versions. The advisory was published on Jan. 12, 2026.
ServiceNow deployed fixes for hosted instances and issued customer patches
ServiceNow remediated CVE-2025-12420 on most hosted instances by rotating the shared credential and addressing affected AI components, and it provided patches or updates to partners and self-hosted customers. Multiple sources place the main remediation on Oct. 30, 2025.
AppOmni reported the ServiceNow flaw to the vendor
AppOmni discovered the vulnerability chain affecting ServiceNow's Virtual Agent API and Now Assist AI Agents and reported it to ServiceNow. Dark Reading states the report was made on Oct. 23, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
ServiceNow patches critical AI Platform vulnerability enabling user impersonation | SC Media
scworld.com
Open sourceServiceNow patches critical AI platform flaw that could allow user impersonation | CyberScoop
cyberscoop.com
Open sourceAgentic AI Security Vulnerability in ServiceNow Exposed | AppOmni
appomni.com
Open source'Most Severe AI Vulnerability to Date' Hits ServiceNow
darkreading.com
Open sourceCVE-2025-12420 - Unauthenticated Privilege Escalation in ServiceNow AI Platform
cvefeed.io
Open source[Security Advisory] CVE-2025-12420 - Privilege Escalation in ServiceNow AI Platform - Security
support.servicenow.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical ServiceNow RCE Flaws Hit Core and AI Platform Deployments
ServiceNow customers were urged to patch multiple **critical remote code execution** vulnerabilities after reports that flaws in the platform were being **actively exploited**. One set of bugs affected core ServiceNow deployments and was serious enough to trigger immediate warnings from security researchers and industry media, highlighting the risk of unauthenticated or low-friction compromise in widely used enterprise workflow environments. A separate report later identified another **critical RCE vulnerability** in the **ServiceNow AI Platform**, expanding concern from the core platform to newer AI-enabled components. Together, the disclosures indicate that attackers have had viable paths to execute code against ServiceNow environments across both traditional and AI-related services, raising the stakes for organizations that use the platform for IT, HR, security, and business process automation.
May 25, 2026
ServiceNow Now Assist AI Agents Vulnerable to Second-Order Prompt Injection Attacks
Security researchers have identified that ServiceNow's Now Assist generative AI platform is susceptible to second-order prompt injection attacks due to its default agent-to-agent discovery and collaboration features. Attackers can exploit these configurations to manipulate benign AI agents into recruiting other agents with broader privileges, enabling unauthorized actions such as data exfiltration, record modification, privilege escalation, and sending emails, all without the victim organization's awareness. The vulnerability is not a flaw in the AI itself but stems from expected behavior defined by default configuration options, which are often overlooked by administrators. The research, conducted by AppOmni, highlights that even with built-in prompt injection protections enabled, malicious prompts embedded in accessible content can trigger a chain reaction among agents. The system's inability to distinguish between trusted instructions and untrusted data, combined with the orchestrator's role in assigning tasks, increases the risk in multi-agent environments. The issue is exacerbated by the fact that large language models prioritize task completion, making them susceptible to treating maliciously crafted text as legitimate instructions, thereby allowing attacks to bypass existing security controls.
Mar 21, 2026
Unauthenticated RCE in ServiceNow AI Platform Sandbox (CVE-2026-0542)
ServiceNow patched a **critical unauthenticated remote code execution (RCE)** vulnerability in the *ServiceNow AI Platform* tracked as **CVE-2026-0542**. The flaw can allow an unauthenticated attacker, under certain conditions, to execute code within the **ServiceNow Sandbox**—a restricted environment intended to isolate untrusted code—creating risk of broader instance compromise, including potential data theft and workflow manipulation. Public technical details were limited, but the issue was characterized as remotely reachable (typically over HTTPS) and high impact, with reporting citing **critical severity (CVSS 9.8)**. ServiceNow’s advisory (**KB2693566**) states the company deployed security updates to affected **hosted customer instances** and also made updates available to **self-hosted customers and partners** via patches/hotfixes. As of the advisory information reflected in CVE tracking, ServiceNow reported it was **not aware of active exploitation against customer instances**, but recommended customers apply the relevant updates or upgrade promptly to mitigate the risk from an unauthenticated RCE path into the sandboxed execution environment.
Mar 21, 2026