editorially independent. We may make money when you click on links
to our partners.
Learn More
A newly disclosed ServiceNow AI Platform flaw allows unauthenticated attackers to impersonate users and escalate privileges.
The vulnerability “… could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” said ServiceNow in its advisory.
ServiceNow AI Privilege Escalation Risk
CVE-2025-12420 is a privilege escalation flaw in the ServiceNow AI Platform that can allow an unauthenticated attacker to impersonate a legitimate user and perform actions as that account.
This vulnerability eliminates the need for valid credentials, allowing attackers to carry out legitimate actions under a trusted user’s identity.
Once impersonation succeeds, attackers gain the user’s full permissions, enabling data access, configuration changes, workflow abuse, and lateral movement via integrations.
Risk is highest in environments where AI and virtual agents run with elevated privileges to automate critical business workflows.
The vulnerability affects two widely deployed applications:
- Now Assist AI Agents (sn_aia)
- Virtual Agent API (sn_va_as_service)
The issue was first reported to ServiceNow by AppOmni researchers in October 2025, but ServiceNow issued its broader customer notification and guidance in January 2026.
ServiceNow says it has not observed active exploitation in the wild as of its publication, but the vulnerability’s critical severity and unauthenticated nature make remediation essential.
Reducing Risk From User Impersonation
Because the vulnerability allows unauthenticated user impersonation, organizations should prioritize remediation even though ServiceNow has not reported active exploitation.
Applying patches is the most important step, but additional controls can help reduce exposure and limit potential impact.
- Apply the official ServiceNow security updates by upgrading Now Assist AI Agents (sn_aia) to 5.1.18+/5.2.19+ and Virtual Agent API (sn_va_as_service) to 3.15.2+/4.0.4+.
- Confirm patches are fully deployed across all hosted, self-hosted, partner-managed, and non-production instances.
- Enforce least privilege by tightening roles for AI agents, administrators, and integration accounts, and removing unnecessary standing access.
- Reduce attack surface by disabling or restricting unused AI features and limiting exposure of high-risk APIs and endpoints where feasible.
- Increase detection coverage by monitoring for impersonation indicators, unusual role changes, anomalous access patterns, and unauthorized configuration updates.
- Limit blast radius by hardening identity and integrations, rotating tokens/credentials, and adding approval gates for high-impact automated actions.
- Test incident response plans to ensure teams can quickly revoke access, rotate credentials, and restore configurations.
These measures help reduce exposure, strengthen detection, and limit the impact of potential ServiceNow compromise.
AI Platforms Expand Identity Risk
As AI-enabled platforms become more deeply integrated into enterprise workflows, authentication and privilege boundaries need to be treated as foundational security controls.
These systems often sit at the center of high-impact processes, from IT operations to customer support and automated decisioning, which means identity-related flaws can have outsized downstream consequences.
The growing reliance on identity controls is exactly why teams are turning to zero-trust solutions to reduce risk and contain compromise.
