CVE-2025-12420
published 2026-01-12CVE-2025-12420: A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
45.49%
98.6th percentile
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.
ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| servicenow | now_assist_ai_agents | < 5.1.18 | 5.1.18 |
| servicenow | now_assist_ai_agents | 5.0.26 – 5.1.17 | — |
| servicenow | now_assist_ai_agents | >= 5.2.0 < 5.2.19 | 5.2.19 |
| servicenow | virtual_agent_api | < 4.0.4 | 4.0.4 |
| servicenow | virtual_agent_api | < 3.15.2 | 3.15.2 |
| servicenow | virtual_agent_api | >= 4.0.0 < 4.0.4 | 4.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/sn_aia/
url/api/sn_va_as_service/
otherx-usertoken: (HTTP header)
bytes
|0d 0a|token|3a 20|
bytes
|22|appInboundId|22 3a 20 22|default-external-agent|22|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_aia/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067122; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_va_as_service/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067121; rev:1;)
- →Exploit targets two distinct ServiceNow API endpoints: /api/sn_aia/ (Now Assist AI Agents) and /api/sn_va_as_service/ (Virtual Agent API). Monitor POST requests to either path for authentication bypass attempts.
- →Exploit requests carry both a generic 'token' HTTP header and an 'x-usertoken' header simultaneously — the combination is a strong indicator of the BodySnatcher impersonation technique.
- →The POST request body contains the JSON field appInboundId set to the value 'default-external-agent', which is a specific artifact of the BodySnatcher exploit payload.
- →The vulnerability allows an unauthenticated user to impersonate another user (including admins) on the ServiceNow AI Platform. Audit logs should be reviewed for unexpected privileged actions originating from unauthenticated or low-privilege sessions. ↗
- →The exploit is publicly named 'BodySnatcher' and has a public exploit available (EPSS 16.3 percentile). Perimeter and internal TLS-decrypting inspection points are recommended deployment locations for the Snort rules.
- →Reference research URL for the BodySnatcher exploit technique is appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/ — useful for threat intel correlation.
- ·The Snort rules require TLS decryption (SSLDecrypt/TLSDecrypt) to inspect the HTTP headers and request body. Without TLS inspection at the perimeter or internally, these signatures will not fire on encrypted traffic.
- ·ServiceNow patched hosted instances in October 2025 and released Store App updates; self-hosted customers, partners, and customers with unique configurations must apply the security update manually. ↗
- ·The affected component is specifically identified as cpe:2.3:a:servicenow:now_assist_ai_agents — scope detection efforts to instances running the Now Assist AI Agents Store App. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:H/U:Amber
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)
suricata·2026-01-27·CVSS 9.3
CVE-2025-12420 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)
ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_aia/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067122; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state TLSDecrypt, c
Suricata
ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)
suricata·2026-01-27·CVSS 9.3
CVE-2025-12420 [CRITICAL] ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)
ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_va_as_service/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067121; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state TLSDecryp
No public exploits indexed.
Eset
This month in security with Tony Anscombe – January 2026 edition
blogs_eset·2026-01-30·CVSS 9.3
[CRITICAL] This month in security with Tony Anscombe – January 2026 edition
English Español Deutsch Português Français
Award-winning news, views, and insight from the ESET security community
Video
## This month in security with Tony Anscombe – January 2026 edition
The trends from January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the year
Editor
30 Jan 2026
The year got off to a busy start, with January offering an early snapshot of the challenges that (not just) cybersecurity teams are likely to face in the months ahead. It's therefore time for ESET Chief Security Evangelist Tony Anscombe to look back on some of the month's most impactful cybersecurity stories. Here's some of what caught Tony's eye:
the IT service management firm ServiceNow has patched what is the most severe AI-driven sec
Wiz
CVE-2025-12420 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-12420 [CRITICAL] CVE-2025-12420 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12420 :
ServiceNow Agent Client Collector (ACC) vulnerability analysis and mitigation
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.
ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
Source : NVD
## 9.3
Scor
Eset
This month in security with Tony Anscombe – January 2026 edition
blogs_eset·CVSS 9.3
[CRITICAL] This month in security with Tony Anscombe – January 2026 edition
The year got off to a busy start, with January offering an early snapshot of the challenges that (not just) cybersecurity teams are likely to face in the months ahead. It's therefore time for ESET Chief Security Evangelist Tony Anscombe to look back on some of the month's most impactful cybersecurity stories. Here's some of what caught Tony's eye:
- the IT service management firm ServiceNow has patched what is the most severe AI-driven security vulnerability found to date; if exploited, CVE-2025-12420 could have let unauthenticated attackers pose as admins on the company's AI platform,
- how unsecured Zendesk support systems were abused to launch a massive spam campaign,
- cyber-fraud has displaced ransomware as the top concern among CEOs across the world, according to the World Economic
arXiv
Who Governs the Machine? A Machine Identity Governance Taxonomy (MIGT) for AI Systems Operating Across Enterprise and Geopolitical Boundaries
arxiv_fulltext·2026-04
Who Governs the Machine? A Machine Identity Governance Taxonomy (MIGT) for AI Systems Operating Across Enterprise and Geopolitical Boundaries
titlepage
empty
*2cm
WHO GOVERNS THE MACHINE?
0.5cm
A Machine Identity Governance Taxonomy (MIGT) for AI Systems
Operating Across Enterprise and Geopolitical Boundaries
1.5cm
Andrew Kurtz, CISSP
[email protected]
0.5cm
Klaudia Krawiecka, PhD
[email protected]
1cm
titlepage
## Abstract
The governance of artificial intelligence has a blind spot: the machine identities that AI systems use
to act. AI agents, service accounts, API tokens, and automated workflows now outnumber human
identities in enterprise environments by ratios exceeding 80 to 1 , yet no integrated framework
exists to govern them. The consequences are measurable: a single ungoverned automated agent
produced \5.4 to \10 billion in losses in the 2024 CrowdStrike outage, and nation-state actors
including Silk Typhoon an
2026-01-12
Published