ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation: Analysis of CVE-2025-12420 (CVSS 9.3)

Estimated Reading Time: 6 minutes

Key Takeaways

  • CVE-2025-12420 is a critical logic flaw (CVSS 9.3) allowing unauthenticated attackers to impersonate any user via ServiceNow’s AI platform.
  • The vulnerability, known as “BodySnatcher,” bypasses standard security protocols like SSO and MFA by exploiting a hardcoded secret.
  • Primary targets include the Virtual Agent API and Now Assist AI modules, which facilitate automated workflows and data access.
  • Immediate patching of specific AI plugins (sn_aia and sn_va_as_service) is required to mitigate the risk of full system compromise.

Table of Contents

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow has released security updates to address a critical vulnerability in its artificial intelligence (AI) platform, identified as CVE-2025-12420 (CVSS 9.3). This vulnerability, discovered by researchers at AppOmni and dubbed “BodySnatcher,” allows unauthenticated attackers to impersonate any user within a ServiceNow instance. By exploiting specific logic within the Virtual Agent and Now Assist AI components, a threat actor can perform actions with the privileges of the impersonated user, effectively bypassing multi-factor authentication (MFA) and single sign-on (SSO) protocols.

The ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation represents a significant risk to organizations utilizing agentic AI workflows for automated business processes. The flaw centers on a hardcoded platform-wide secret and account-linking logic that relies solely on an email address for identity verification. Because ServiceNow acts as a central nervous system for many enterprises-managing HR, IT, and security operations-this impersonation capability provides a direct path for unauthorized access to sensitive corporate data and system configurations.

Technical Analysis of CVE-2025-12420

The vulnerability CVE-2025-12420 resides in the integration between ServiceNow’s Virtual Agent and its AI-driven agentic workflows. To understand the risk, one must examine how ServiceNow manages identity within these automated components. The platform utilizes “Now Assist” to provide generative AI capabilities, allowing users to interact with enterprise data through natural language.

According to research findings, the “BodySnatcher” exploit leverages a failure in how the Virtual Agent API handles user sessions and identity linking. Specifically, an attacker can supply a targeted user’s email address and, by exploiting a hardcoded secret within the platform’s internal communications, convince the system that the request is legitimate. This bypasses the standard authentication stack, including SSO and MFA, which typically serve as the primary barriers against unauthorized access.

Once the impersonation is successful, the attacker gains the permissions of the targeted user. If the targeted account has administrative privileges, the attacker can execute AI agents to modify security controls, create new administrative accounts, or exfiltrate data via automated workflows. This is particularly concerning given the rise of supply-chain risk monitoring, where ServiceNow is often integrated with third-party vendors and external services. A compromise of the central ServiceNow instance could result in a lateral movement across the broader corporate ecosystem.

The exploit chain works as follows:

  • An unauthenticated attacker identifies a target email address associated with a ServiceNow account.
  • The attacker interacts with the Virtual Agent API.
  • By utilizing a hardcoded secret identified by researchers, the attacker triggers an account-linking process.
  • The system fails to verify the request against an established session or a valid MFA token, trusting the email address and the secret.
  • The session is upgraded to the target user’s identity.

The Shift to AI-Driven Vulnerabilities

The emergence of CVE-2025-12420 marks a transition in the threat landscape. Previous ServiceNow vulnerabilities often focused on database misconfigurations or traditional injection flaws. However, “BodySnatcher” demonstrates how the integration of generative AI introduces new attack vectors. Earlier in 2025, researchers noted that ServiceNow’s generative AI platform was susceptible to second-order prompt injection attacks. CVE-2025-12420 facilitates these attacks by providing the necessary identity context to execute malicious prompts as a privileged user.

For organizations utilizing a cyber threat intelligence platform, monitoring the transition from standard SaaS exploitation to AI-agent exploitation is necessary. Threat actors are increasingly targeting the “glue” that connects AI to enterprise data. When an AI agent can modify records or access internal APIs, the traditional perimeter is no longer effective.

Impact on Enterprise Security Operations

The impact of ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation extends beyond simple data theft. In many enterprises, ServiceNow is used to orchestrate incident response, manage credentials, and store proprietary business logic.

Data Exfiltration and Record Modification:
If a threat actor impersonates an HR or Finance administrator, they can access payroll information, bank details, and personal identifiable information (PII). In the context of real-time ransomware intelligence, this type of access is a precursor to data extortion. Attackers may not encrypt the system immediately but will instead focus on exfiltrating high-value data to use as leverage.

Backdoor Creation:
Successful exploitation allows an attacker to create new user accounts with elevated privileges. These accounts may bypass standard audit logs if the AI agent is used to create them through automated scripts. This provides long-term persistence within the environment, making breach detection significantly more difficult for internal SOC teams.

Bypassing MFA and SSO:
The most critical aspect of CVE-2025-12420 is its ability to render modern identity protections irrelevant. Many organizations rely on MFA as a “silver bullet” for identity security. BodySnatcher proves that flaws in the application logic-specifically in how APIs handle trusted secrets-can circumvent these controls entirely.

Role of Threat Intelligence and Monitoring

To defend against vulnerabilities like CVE-2025-12420, engineering teams must look beyond simple patching. The use of a live ransomware API or similar intelligence feeds can help organizations understand if their specific software versions are being targeted in the wild. While ServiceNow stated there is no evidence of active exploitation for this flaw, the public disclosure of the “BodySnatcher” mechanics often leads to a rapid increase in scanning activity.

Threat actors frequently share exploit proofs-of-concept on encrypted platforms. Effective telegram threat monitoring can provide early warning signs that attackers are developing automated scanners to find unpatched ServiceNow instances. Furthermore, underground forum intelligence remains a primary source for identifying the “hardcoded secrets” or configuration nuances that attackers use to refine their exploits.

Remediation and Version Requirements

ServiceNow addressed CVE-2025-12420 on October 30, 2025. The majority of ServiceNow-hosted instances were patched automatically. However, organizations running self-hosted instances or those using specific partner-managed environments must manually verify their versions.

The following versions contain the fix:

  • Now Assist AI Agents (sn_aia): Version 5.1.18 or later, and 5.2.19 or later.
  • Virtual Agent API (sn_va_as_service): Version 3.15.2 or later, and 4.0.4 or later.

Engineers should audit their installed plugins and ensure that these specific components are updated. Simply updating the ServiceNow “family” (e.g., Xanadu or Washington) may not be sufficient if these specific AI and Virtual Agent plugins are not also updated to the required versions.

Practical Takeaways for Technical Teams

  • Plugin Audit: Immediately verify the versions of sn_aia and sn_va_as_service. Do not assume a general platform update covers these specific AI modules.
  • Log Analysis: Review Virtual Agent API logs for unusual patterns of account linking. Look for instances where multiple users were linked from the same source IP or where unauthenticated requests preceded a privileged user session.
  • Secret Management: Evaluate the use of hardcoded secrets within any custom ServiceNow integrations. The “BodySnatcher” flaw highlights the danger of static platform-wide secrets.
  • Red Team Testing: Conduct penetration testing specifically targeting AI agentic workflows. Standard web application scans may not identify logic flaws in how AI agents interpret and execute permissions.
  • Identity Verification: Implement additional logging for any “impersonation” events within ServiceNow. Ensure that the impersonated_by field is monitored and alerted upon for all administrative accounts.

Practical Takeaways for Business Leaders

  • SaaS Governance: Recognize that SaaS platforms like ServiceNow are not “set and forget.” They require active vulnerability management and supply-chain risk monitoring.
  • AI Risk Assessment: Before deploying AI agents that can perform actions (agentic AI), perform a formal risk assessment. Understand what the agent can do if its identity context is hijacked.
  • Incident Response: Update incident response playbooks to include “Identity Impersonation” scenarios. If an admin account is compromised via an API flaw, the response must involve rotating all platform secrets, not just changing a password.
  • Threat Visibility: Invest in brand leak alerting capabilities. Knowing if your ServiceNow instance URL is being targeted on underground forums can provide the necessary lead time to apply patches.

Strategic Defense and PurpleOps Expertise

Managing the complexities of vulnerabilities like CVE-2025-12420 requires a multi-layered approach to security. At PurpleOps, we provide the technical depth necessary to secure enterprise SaaS environments and AI integrations.

Our cyber threat intelligence services provide organizations with the data needed to stay ahead of emerging exploits. By analyzing trends in the threat landscape, we help teams prioritize patching for critical flaws like those found in the ServiceNow AI Platform.

To ensure your environment is resilient against identity-based attacks, our and red team operations simulate real-world attack scenarios, including the impersonation of privileged users and the exploitation of agentic workflows. We go beyond automated scanning to find the logic flaws that traditional tools miss.

Furthermore, our dark web monitoring and supply chain information security services offer continuous oversight. We monitor for leaked credentials, hardcoded secrets, and discussions on underground forums that could indicate your organization is at risk.

For organizations concerned about the rise of automated attacks, our platform and PurpleOps Solutions provide a comprehensive framework for protecting against ransomware and other sophisticated threats. By integrating real-time intelligence with expert analysis, we enable engineering teams to focus on innovation while we manage the technical security details.

Analyst Summary

The vulnerability tracked as CVE-2025-12420 is a high-severity logic flaw that demonstrates the risks inherent in delegating identity trust to automated AI components. By chaining a hardcoded secret with flawed email-based account linking, attackers can gain unauthenticated access to ServiceNow instances. The primary mitigation is the application of the October 2025 patches provided by ServiceNow. Beyond patching, organizations must improve their visibility into API interactions and agentic workflows to detect similar impersonation attempts in the future.

Frequently Asked Questions

What exactly is the “BodySnatcher” vulnerability?
It is a logic flaw in ServiceNow’s AI platform (CVE-2025-12420) that allows unauthenticated attackers to impersonate any user by exploiting a hardcoded secret and improper account-linking verification.

Does CVE-2025-12420 affect all ServiceNow versions?
It specifically affects instances using certain versions of the Now Assist AI Agents (sn_aia) and Virtual Agent API (sn_va_as_service) modules. Fixes are available in sn_aia version 5.1.18/5.2.19 and sn_va_as_service version 3.15.2/4.0.4.

Can an attacker bypass MFA using this flaw?
Yes. Because the exploit occurs at the API logic level using a trusted internal secret, it bypasses the standard authentication flow where MFA and SSO are enforced.

Has there been active exploitation of this vulnerability?
ServiceNow stated in late 2025 that there was no evidence of active exploitation in the wild, but the risk remains high due to the public disclosure of the exploit mechanics.

How can I verify if my instance is secure?
You must check the specific version numbers of the installed sn_aia and sn_va_as_service plugins in your ServiceNow instance, as general platform updates may not always include the latest plugin versions.