ServiceNow AI Flaw Allows Unauthenticated User Impersonation

A newly disclosed ServiceNow AI Platform flaw allows unauthenticated attackers to impersonate users and escalate privileges.

The vulnerability “… could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” said ServiceNow in its advisory.

“BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively ‘remote controlled’ an organization’s AI, weaponizing the very tools meant to simplify the enterprise,” said Aaron Costello, Chief of Security Research at AppOmni.

He added, “The ServiceNow AI applications susceptible to this flaw are used by nearly half of AppOmni’s Fortune 100 customers.”

ServiceNow AI Privilege Escalation Risk

CVE-2025-12420 is a privilege escalation flaw in the ServiceNow AI Platform that can allow an unauthenticated attacker to impersonate a legitimate user and perform actions as that account. 

This vulnerability eliminates the need for valid credentials, allowing attackers to carry out legitimate actions under a trusted user’s identity. 

Once impersonation succeeds, attackers gain the user’s full permissions, enabling data access, configuration changes, workflow abuse, and lateral movement via integrations.

Risk is highest in environments where AI and virtual agents run with elevated privileges to automate critical business workflows.

The vulnerability affects two widely deployed applications: 

• Now Assist AI Agents (sn_aia) 
• Virtual Agent API (sn_va_as_service)

The issue was first reported to ServiceNow by AppOmni researchers in October 2025, but ServiceNow issued its broader customer notification and guidance in January 2026.

ServiceNow says it has not observed active exploitation in the wild as of its publication, but the vulnerability’s critical severity and unauthenticated nature make remediation essential. 

Reducing Risk From User Impersonation

Because the vulnerability allows unauthenticated user impersonation, organizations should prioritize remediation even though ServiceNow has not reported active exploitation. 

Applying patches is the most important step, but additional controls can help reduce exposure and limit potential impact. 

• Apply the official ServiceNow security updates by upgrading Now Assist AI Agents (sn_aia) to 5.1.18+/5.2.19+ and Virtual Agent API (sn_va_as_service) to 3.15.2+/4.0.4+. 
• Confirm patches are fully deployed across all hosted, self-hosted, partner-managed, and non-production instances. 
• Enforce least privilege by tightening roles for AI agents, administrators, and integration accounts, and removing unnecessary standing access. 
• Reduce attack surface by disabling or restricting unused AI features and limiting exposure of high-risk APIs and endpoints where feasible. 
• Increase detection coverage by monitoring for impersonation indicators, unusual role changes, anomalous access patterns, and unauthorized configuration updates. 
• Limit blast radius by hardening identity and integrations, rotating tokens/credentials, and adding approval gates for high-impact automated actions. 
• Test incident response plans to ensure teams can quickly revoke access, rotate credentials, and restore configurations.

These measures help reduce exposure, strengthen detection, and limit the impact of potential ServiceNow compromise. 

AI Platforms Expand Identity Risk

As AI-enabled platforms become more deeply integrated into enterprise workflows, authentication and privilege boundaries need to be treated as foundational security controls.

These systems often sit at the center of high-impact processes, from IT operations to customer support and automated decisioning, which means identity-related flaws can have outsized downstream consequences.

The growing reliance on identity controls is exactly why teams are turning to zero-trust solutions to reduce risk and contain compromise.