- ServiceNow Fixes Critical AI Platform Flaw (CVE-2025-12420) Allowing User Impersonation
- “BodySnatcher” scored 9.3/10 and affected multiple versions of the app.
- No exploitation observed for the moment; experts warn that unpatched systems remain at risk after patching
ServiceNow, one of the most popular cloud platforms for automating IT and business workflows, said it recently fixed a critical severity vulnerability that allowed malicious actors to impersonate other users and perform arbitrary actions on their behalf.
The company revealed that SaaS security firm AppOmni informed it of a critical privilege escalation vulnerability within its AI platform in October 2025. Following an investigation, the company began tracking the bug as CVE-2025-12420 and assigned it a severity score of 9.3/10 (critical).
“This problem […] could allow an unauthenticated user to impersonate another user and perform operations that the impersonated user is authorized to perform,” the advisory states. “On October 30, 2025, ServiceNow fixed this vulnerability by deploying a relevant security update to the majority of hosted instances,” it further states. “Security updates have also been provided to ServiceNow partners and self-hosted customers. Additionally, the vulnerability is fixed in listed versions of the Store app.
Biggest bug ever?
Fixes have been released for these versions:
Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later
Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later
So far, there is no evidence that this vulnerability is being exploited in the wild. However, it is not uncommon for a bug to start being exploited only after a patch is released. Many cybercriminals lack the knowledge and resources to track down zero-day vulnerabilities and simply rely on the fact that many companies fail to update their software on time.
AppOmni, which discovered the flaw, dubbed it “BodySnatcher.”
“BodySnatcher is the most serious AI-based vulnerability discovered to date: attackers could have effectively ‘remote control’ an organization’s AI, weaponizing the very tools intended to simplify the enterprise,” a researcher said. Hacker news.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
