ServiceNow has disclosed and patched a critical security vulnerability in its artificial intelligence platform that could have allowed unauthenticated attackers to impersonate legitimate users and perform actions on their behalf.
The flaw, tracked as CVE-2025-12420 and rated 9.3 on the CVSS scale, affects components within the ServiceNow AI ecosystem. The vulnerability has been named BodySnatcher by cloud security firm AppOmni, which identified and responsibly reported the issue.
According to ServiceNow, the vulnerability could have enabled an unauthenticated individual to assume the identity of another user and execute any operation permitted to that user, posing a serious risk to enterprise environments.
Affected Components and Patch Availability
ServiceNow addressed the issue on October 30, 2025, deploying security updates across most hosted instances. Patches were also made available to ServiceNow partners and customers operating self-hosted deployments.
The following versions include fixes for CVE-2025-12420:
- Now Assist AI Agents (sn_aia): versions 5.1.18 and later, 5.2.19 and later
- Virtual Agent API (sn_va_as_service): versions 3.15.2 and later, 4.0.4 and later
Users running earlier versions are strongly advised to apply updates immediately to reduce exposure.
How the Vulnerability Worked
AppOmni explained that the flaw existed within the Virtual Agent integration logic. An attacker could exploit hardcoded secrets and weak account-linking mechanisms that trusted email addresses without proper verification.
By abusing this behavior, an unauthenticated attacker could bypass multi-factor authentication (MFA) and single sign-on (SSO) protections, impersonate any ServiceNow user, and potentially gain administrative-level access.
Once impersonation was achieved, attackers could misuse AI agents to manipulate workflows, disable security controls, create privileged backdoor accounts, and access sensitive enterprise data.
Risk Assessment and Expert Commentary
Although there is currently no evidence that CVE-2025-12420 was exploited in real-world attacks, security experts warn that the potential impact was severe.
AppOmni described BodySnatcher as the most serious AI-related vulnerability discovered so far, noting that attackers could have effectively taken control of enterprise AI agents designed to automate and simplify business processes.
The disclosure follows earlier warnings from AppOmni about misconfigurations in ServiceNow’s Now Assist generative AI platform, which could be abused for second-order prompt injection attacks, leading to data theft, unauthorized record modification, and privilege escalation.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
