cbcvebase.
CVE-2025-12420
published 2026-01-12

CVE-2025-12420: A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
45.49%
98.6th percentile
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.

Affected

6 ranges
VendorProductVersion rangeFixed in
servicenownow_assist_ai_agents< 5.1.185.1.18
servicenownow_assist_ai_agents5.0.26 – 5.1.17
servicenownow_assist_ai_agents>= 5.2.0 < 5.2.195.2.19
servicenowvirtual_agent_api< 4.0.44.0.4
servicenowvirtual_agent_api< 3.15.23.15.2
servicenowvirtual_agent_api>= 4.0.0 < 4.0.44.0.4

Detection & IOCsextracted from sources · hover to see the quote

url/api/sn_aia/
url/api/sn_va_as_service/
otherx-usertoken: (HTTP header)
bytes
|0d 0a|token|3a 20|
bytes
|22|appInboundId|22 3a 20 22|default-external-agent|22|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_aia/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067122; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420)"; flow:established,to_server; http.uri; content:"/api/sn_va_as_service/"; fast_pattern; http.header; to_lowercase; content:"|0d 0a|token|3a 20|"; content:"x-usertoken|3a 20|"; http.request_body; content:"|22|appInboundId|22 3a 20 22|default-external-agent|22|"; http.method; content:"POST"; reference:url,appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/; reference:cve,2025-12420; classtype:web-application-attack; sid:2067121; rev:1;)
  • Exploit targets two distinct ServiceNow API endpoints: /api/sn_aia/ (Now Assist AI Agents) and /api/sn_va_as_service/ (Virtual Agent API). Monitor POST requests to either path for authentication bypass attempts.
  • Exploit requests carry both a generic 'token' HTTP header and an 'x-usertoken' header simultaneously — the combination is a strong indicator of the BodySnatcher impersonation technique.
  • The POST request body contains the JSON field appInboundId set to the value 'default-external-agent', which is a specific artifact of the BodySnatcher exploit payload.
  • The vulnerability allows an unauthenticated user to impersonate another user (including admins) on the ServiceNow AI Platform. Audit logs should be reviewed for unexpected privileged actions originating from unauthenticated or low-privilege sessions.
  • The exploit is publicly named 'BodySnatcher' and has a public exploit available (EPSS 16.3 percentile). Perimeter and internal TLS-decrypting inspection points are recommended deployment locations for the Snort rules.
  • Reference research URL for the BodySnatcher exploit technique is appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/ — useful for threat intel correlation.
  • ·The Snort rules require TLS decryption (SSLDecrypt/TLSDecrypt) to inspect the HTTP headers and request body. Without TLS inspection at the perimeter or internally, these signatures will not fire on encrypted traffic.
  • ·ServiceNow patched hosted instances in October 2025 and released Store App updates; self-hosted customers, partners, and customers with unique configurations must apply the security update manually.
  • ·The affected component is specifically identified as cpe:2.3:a:servicenow:now_assist_ai_agents — scope detection efforts to instances running the Now Assist AI Agents Store App.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:H/U:Amber
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.