CVE-2025-12420: Broken Authentication and Privileged Workflow Execution in ServiceNow

Published Date: January 16, 2026

Category: ShadowOpsIntel

In January 2026, AppOmni AO Labs disclosed a critical security flaw (CVE-2025-12420) in ServiceNow’s agentic AI ecosystem, affecting its Virtual Agent API and Now Assist AI Agents. Dubbed “BodySnatcher”, this vulnerability represents one of the most severe AI-driven authentication bypasses discovered to date. It allows unauthenticated attackers to impersonate any ServiceNow user including administrators, using only a valid email address. The exploit chain enables attackers to bypass MFA and SSO, execute privileged AI workflows, and gain full control of enterprise ServiceNow instances.

Severity: Critical

Vulnerability Details

BodySnatcher (CVE-2025-12420) exploits a design flaw in ServiceNow’s Virtual Agent provider configuration and AI agent linking mechanism.

The root causes include:

A platform-wide static secret key (servicenowexternalagent) shared across all ServiceNow instances.
Auto-linking logic that trusts a supplied email address without enforcing multi-factor authentication (MFA).
Privileged AI topics (e.g., AIA-Agent Invoker AutoChat) capable of running AI agents outside authorized channels.

These weaknesses combine to form an agentic hijacking chain, allowing attackers to execute AI-based administrative actions remotely.

Attack Mechanism

Authentication Bypass: The attacker uses the universal provider secret to authenticate to the Virtual Agent API, which normally mediates chatbot and agent communications.
User Impersonation: By submitting a target’s email address, the attacker leverages the auto-linking mechanism to impersonate that ServiceNow user.
Agent Invocation: The attacker triggers the “AIA-Agent Invoker AutoChat” topic, which instructs ServiceNow to launch AI agents (like the Record Management AI agent) capable of modifying system records.
Privilege Escalation:
Using crafted payloads, the attacker directs the AI to:
- Create a new user record,
- Assign administrative roles,
- Reset the new account password,
- Achieve full administrative access.

This chain effectively transforms the ServiceNow AI framework into a remote command execution environment.

Affected Versions

Component	Vulnerable Versions	Fixed Versions
Now Assist AI Agents	5.0.24–5.1.17, 5.2.0–5.2.18	5.1.18 / 5.2.19
Virtual Agent API	≤3.15.1, 4.0.0–4.0.3	3.15.2 / 4.0.4

Significance

This vulnerability exemplifies how AI integrations expand the traditional attack surface. By exploiting agentic automation within ServiceNow, attackers could hijack AI agents to perform privileged operations autonomously. It highlights the urgent need to treat agentic AI systems as critical infrastructure with continuous oversight, configuration hygiene, and behavior monitoring

Recommendations

Customers using on-premise ServiceNow products must upgrade to the earliest fixed versions of the affected applications (Now Assist AI Agents and Virtual Agent API). No action is required for cloud-hosted customers.
Organizations should configure their AI agent providers to require MFA for account linking, prioritizing software-based authenticators over SMS.
Regularly audit and de-provision “dormant” or unused AI agents to reduce the potential attack surface.
Implement automated review and approval processes before deploying powerful AI agents to production.

Source:

https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.