ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.
The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni.
“This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the company said in an advisory released Monday.
The shortcoming was addressed by ServiceNow on October 30, 2025, by deploying a security update to the majority of hosted instances, with the company also sharing the patches with ServiceNow partners and self-hosted customers.
The following versions include a fix for CVE-2025-12420 –
- Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later
- Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later
ServiceNow credited Aaron Costello, chief of SaaS Security Research at AppOmni, with discovering and reporting the flaw in October 2025. While there is no evidence that the vulnerability has been exploited in the wild, users are advised to apply an appropriate security update as soon as possible to mitigate potential threats.
“BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively ‘remote controlled’ an organization’s AI, weaponizing the very tools meant to simplify the enterprise,” Costello told The Hacker News.
In a separate report, AppOmni said the Virtual Agent integration flaw allows unauthenticated attackers to impersonate any ServiceNow user using only an email address, bypassing multi-factor authentication (MFA) and single sign-on (SSO) protections. Successful exploitation could allow a threat actor to impersonate an administrator and execute an AI agent to subvert security controls and create backdoor accounts with elevated privileges.
“By chaining a hardcoded, platform-wide secret with account-linking logic that trusts a simple email address, an attacker can bypass multi-factor authentication (MFA), single sign-on (SSO), and other access controls,” Costello added. “And it’s the most severe AI-driven security vulnerability uncovered to date. With these weaknesses linked together, the attacker can remotely drive privileged agentic workflows as any user.”
The disclosure comes nearly two months after AppOmni revealed that malicious actors can exploit default configurations in ServiceNow’s Now Assist generative AI platform and leverage its agentic capabilities to conduct second-order prompt injection attacks.
The issue could then be weaponized to execute unauthorized actions, enabling attackers to copy and exfiltrate sensitive corporate data, modify records, and escalate privileges.
