ServiceNow AI Platform impersonation flaw

“BodySnatcher”: when an attacker becomes you in ServiceNow

ServiceNow disclosed and fixed CVE-2025-12420 (CVSS 9.3), dubbed BodySnatcher, that could allow unauthenticated user impersonation in its AI Platform—bypassing MFA/SSO and enabling arbitrary actions as another user, including admin. Patches were deployed to most hosted instances on 30 Oct 2025; fixed versions include Now Assist AI Agents 5.1.18/5.2.19+ and Virtual Agent API 3.15.2/4.0.4+. AppOmni researchers reported the flaw and note it chained a hard-coded platform secret with permissive account-linking to drive privileged agent workflows. No in-the-wild exploitation has been reported.

A critical flaw in ServiceNow’s AI Platform—CVE-2025-12420 (CVSS 9.3)—made it possible for an unauthenticated attacker to impersonate any user, skipping past MFA and SSO. Think of it as handing your AI-powered service desk to a stranger with a convincing email address. ServiceNow pushed fixes to most hosted tenants on 30 October 2025 and published guidance for partners and self-hosted customers.

How it worked
Researchers at AppOmni say the bug chained a hard-coded, platform-wide secret with account-linking logic that trusted only an email address. Result: the attacker could impersonate arbitrary users—including admins—and then use AI agents to modify records, exfiltrate data, or even create backdoor accounts.

Are you fixed?
Patches are present in Now Assist AI Agents (5.1.18+ / 5.2.19+) and Virtual Agent API (3.15.2+ / 4.0.4+). ServiceNow says there’s no evidence of active exploitation, but customers should verify versions, apply updates, and review audit logs for unusual agent-initiated changes.

Takeaways
AI integrations often sit with broad permissions; when identity checks are weak, they become a fast lane to systems you care about. Lock them down, shorten token lifetimes, and ensure every agent action is attributable to a requesting human.