“With respect to what was publicly understood regarding the availability of AI agents on the platform, this understanding is groundbreaking,” the researchers said. “The general consensus was that in order for an AI agent to be executed outside of testing, it must be deployed to a channel that has explicitly enabled the Now Assist feature. But this is not the case. Evidently, as long as the agent is in an active state and the calling user has the necessary permissions, it can be executed directly through these topics.”
Normally, using the agent-to-agent API requires a ServiceNow account, but because it is a wrapper for the older Virtual Agent API, which doesn’t require a ServiceNow account, this requirement can be bypassed.
An attacker would also need the unique ID of an AI agent that exists in their victim’s ServiceNow instance. It turns out that installing the Now Assist AI application deploys example agents by default, including the Record Management AI Agent, which was capable of creating records in any arbitrary table. This agent, which has been removed as part of the patch, had the same UID across all deployments.
