Authentication Bypass Vulnerabilities in ServiceNow Now Assist and ABB Ability OPTIMAX
Two separate critical authentication-bypass issues were disclosed affecting enterprise platforms, each enabling user impersonation without valid credentials. AppOmni researcher Aaron Costello reported a ServiceNow flaw in the Virtual Agent API and Now Assist AI Agents that allows an unauthenticated attacker to impersonate any ServiceNow user (including admins) and execute privileged AI agents remotely. Tracked as CVE-2025-12420, the issue stems from a hardcoded, platform-wide shared secret used for AI agent channel providers combined with insecure account-linking logic that trusts a requester presenting the shared token plus a victim email address, effectively bypassing MFA/SSO controls; affected components include sn_aia (Now Assist AI Agents) and sn_va_as_service (Virtual Agent API), with fixes available in updated versions.
ABB issued a critical advisory for ABB Ability™ OPTIMAX® energy management systems using Azure Active Directory SSO, warning that CVE-2025-14510 (CVSS v4.0 9.2) can allow attackers to bypass authentication and impersonate legitimate users, potentially leading to full administrative control and impacts such as system shutdown, configuration modification, and arbitrary code execution. The vulnerability affects OPTIMAX versions 6.1–6.4 released prior to Nov 20, 2025, and ABB recommends upgrading to patched releases (including v6.4.1-251120 or v6.3.1-251120 and later) or applying mitigations if immediate patching is not possible.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
BodySnatcher vulnerability details become public
Public reporting disclosed technical details of CVE-2025-12420, including proof-of-concept abuse showing attackers could create admin accounts, assign elevated roles, reset passwords, and gain full ServiceNow platform access. The issue was described as affecting specific versions of the Now Assist AI Agents and Virtual Agent API components.
ABB issues critical advisory for OPTIMAX authentication bypass
ABB publicly warned of CVE-2025-14510, a critical authentication bypass vulnerability in ABB Ability OPTIMAX with Azure AD SSO that could let attackers impersonate users and potentially shut down systems, alter configurations, or execute code. ABB urged customers to update immediately or disable Azure AD integration as a workaround.
ABB releases fixed OPTIMAX versions for authentication bypass flaw
ABB made available patched ABB Ability OPTIMAX versions, including 6.4.1-251120 and 6.3.1-251120 or later, to address CVE-2025-14510. The vulnerability affected OPTIMAX 6.1 through 6.4 when integrated with Microsoft Azure AD Single Sign-On.
ServiceNow patches BodySnatcher vulnerability
ServiceNow remediated the BodySnatcher issue by rotating provider credentials and removing the Record Management AI agent from customer environments. The company also notified customers and published advisory KB2587317 crediting Costello and AppOmni.
AppOmni reports ServiceNow BodySnatcher flaw to ServiceNow
Researcher Aaron Costello of AppOmni reported the ServiceNow Virtual Agent API and Now Assist AI Agents vulnerability, later tracked as CVE-2025-12420, to ServiceNow. The flaw allowed unauthenticated attackers to impersonate any user and execute privileged AI agents using only a target email address.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ServiceNow AI Platform Flaw (CVE-2025-12420) Enables Unauthenticated User Impersonation
ServiceNow disclosed and remediated a **critical** vulnerability in its AI Platform, tracked as **CVE-2025-12420** (CVSS **9.3**), that could allow an **unauthenticated attacker to impersonate legitimate users** and perform actions with the victim’s entitlements. The issue impacts ServiceNow AI features including **Now Assist AI Agents** and the **Virtual Agent API**; ServiceNow reported deploying fixes to most hosted instances in October 2025 and providing updates to partners and self-hosted customers, and stated it has **no evidence of exploitation** prior to remediation. Research associated with the disclosure highlighted broader risks in enterprise AI agent deployments, including the potential for **second-order prompt injection** when default settings and agent-to-agent capabilities (e.g., *agent discovery*) are not tightly controlled. In testing described by the reporting, low-privileged users could embed malicious instructions into data fields later processed by higher-privileged AI agents, potentially leading to unauthorized access or changes; customers were advised to upgrade to patched releases (including *Now Assist AI Agents* `5.1.18+` / `5.2.19+` and *Virtual Agent API* `3.15.2+` / `4.0.4+`) and to apply relevant security updates across hosted and self-managed environments.
Mar 21, 2026
Authentication Bypass Vulnerability in ABB Ability Edgenius
ABB disclosed a critical authentication bypass vulnerability, tracked as CVE-2025-10571, affecting ABB Ability Edgenius versions 3.2.0.0 and 3.2.1.1. The flaw allows attackers to bypass authentication using an alternate path or channel, potentially granting unauthorized access to the Edgenius Management Portal. The vulnerability has been assigned a CVSS score of 9.6, indicating a high level of severity, and ABB has issued guidance for users and administrators to review mitigations and apply necessary security measures. Security advisories from the Canadian Centre for Cyber Security and CVE databases highlight the risk posed by this vulnerability and urge organizations using affected versions to take immediate action. No evidence of remote exploitability has been reported, but the critical nature of the flaw underscores the importance of prompt remediation to protect industrial control systems managed by ABB Ability Edgenius.
Mar 21, 2026
CISA Warns of Critical Authentication Flaws in ABB Edgenius and AWIN Gateways
CISA republished ABB advisories warning of serious vulnerabilities in **ABB Edgenius Management Portal** and **ABB AWIN Gateways**, affecting products used in critical manufacturing environments worldwide. The most severe issue impacts Edgenius Management Portal versions `3.2.0.0` and `3.2.1.1`, where a **CWE-288 authentication bypass** with a **CVSS v3.1 score of 9.6** could let an attacker send specially crafted messages to a system node to install and execute arbitrary code, uninstall applications, and alter application configurations. ABB AWIN GW100 rev.2 and AWIN GW120 devices running firmware versions `2.0-0`, `2.0-1`, `1.2-0`, and `1.2-1` are also affected by multiple flaws, including authentication bypass by capture-replay and missing authentication for critical functions.
May 24, 2026