CVE-2025-12420: Critical Flaw in ServiceNow AI

A Critical Threat to Your ServiceNow Instance

A critical unauthenticated privilege escalation vulnerability, CVE-2025-12420, has been identified in the ServiceNow AI Platform; it carries a CVSS score of 9.3, reflecting its potential for severe impact. This flaw allows a remote, unauthenticated attacker to impersonate any user within a target ServiceNow instance, granting them full access to the victim's data and permissions. Given that over 849,000 ServiceNow instances are publicly exposed, the attack surface for this vulnerability is massive; immediate action is required to mitigate this threat.

Understanding CVE-2025-12420

The vulnerability resides within components of the ServiceNow AI Platform, specifically the 'Now Assist AI Agents' and 'Virtual Agent API' applications. The core of the issue is a failure to properly validate user identity in certain API requests. An attacker can craft a specific, malicious request to a vulnerable endpoint; this tricks the platform into granting them the session and privileges of a legitimate, existing user without requiring any form of authentication.

This is not a simple permission bypass; it is a full account takeover. The attacker effectively becomes the impersonated user, able to perform any action that user is authorized to execute. If the impersonated user is an administrator, the attacker gains complete control over the ServiceNow instance, including the ability to access and exfiltrate sensitive data, modify critical workflows, create rogue admin accounts, and disable security logging.

Quote Block:
"This issue, tracked as CVE-2025-12420, could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform."
- ServiceNow Security Advisory

Identifying Your Exposure

Identifying exposed and potentially vulnerable instances is the first step toward remediation. Security teams can use public asset discovery tools to find internet-facing ServiceNow portals.

Discovery Dorks:

# ZoomEye Dork to find exposed instances
app="ServiceNow"

# Flawtrack Filter to find vulnerable assets
vul.cve="CVE-2025-12420"

The sheer number of exposed instances means attackers can automate discovery and exploitation, targeting organizations at scale. Assuming your instance is not a target is a critical mistake.

The Attack Vector Explained

An attack leveraging CVE-2025-12420 follows a straightforward path:

1. Discovery: The threat actor uses search tools like ZoomEye or Shodan to compile a list of publicly accessible ServiceNow instances.
2. Targeting: The attacker identifies a target instance and crafts a malicious API request. They may not even need to know a specific username; the vulnerability could potentially allow impersonation of high-privilege system accounts.
3. Exploitation: The attacker sends the crafted request to a vulnerable endpoint within the Virtual Agent or Now Assist AI infrastructure. The system fails to validate the request's authenticity and grants the attacker a session tied to the impersonated user.
4. Post-Exploitation: With the victim's privileges, the attacker can now operate freely within the ServiceNow environment. Actions could include stealing HR data, accessing financial records, modifying IT service management (ITSM) tickets to conceal activities, or deploying malicious scripts through the platform's automation features.

Immediate Remediation Steps

ServiceNow, in coordination with the security firm AppOmni, has released patches to address this vulnerability. The vendor began deploying security updates to hosted instances on October 30, 2025. However, self-hosted customers and those who manage their own Store App updates must take manual action.

Verify that your instance is running a patched version of the affected applications. Refer to the table below for the minimum secure versions:

Store Application Name (App ID)	Minimum Patched Version
Now Assist AI Agents (sn_aia)	5.1.18 or later
Now Assist AI Agents (sn_aia)	5.2.19 or later
Virtual Agent API (sn_va_as_service)	3.15.2 or later
Virtual Agent API (sn_va_as_service)	4.0.4 or later

Here’s what you need to do:

• Hosted Customers: While ServiceNow has patched most hosted instances, it is your responsibility to verify. Log into your instance, navigate to the Store Application management section, and confirm the versions of 'Now Assist AI Agents' and 'Virtual Agent API' meet or exceed the versions listed above.
• Self-Hosted Customers: You are at the highest risk and must act immediately. Apply the necessary security updates provided by ServiceNow. Refer to ServiceNow Knowledge Base article KB2587366 for detailed instructions.
• All Customers:
  1. Scan and Verify: Use your Attack Surface Management (ASM) and vulnerability management tools to confirm that all ServiceNow instances associated with your organization are identified and patched. Don't rely on manual asset inventories.
  2. Audit Logs: Review historical logs for any signs of compromise, paying close attention to the time frame before your instance was patched. Look for unusual impersonation events, unexpected API usage from unknown IP addresses, or privilege escalations that do not align with normal administrative activity.
  3. Restrict Access: As a temporary compensating control if patching is delayed, consider implementing network access control lists (ACLs) or firewall rules to limit access to the ServiceNow AI Platform API endpoints from untrusted networks. This is not a substitute for patching.

Conclusion: The New Reality of SaaS Security

CVE-2025-12420 is a stark reminder that critical, unauthenticated vulnerabilities are not limited to on-premise software. Complex SaaS platforms like ServiceNow are high-value targets; their interconnectedness and data richness make them prime targets for attackers. Proactive security posture management, including continuous asset discovery and vulnerability scanning, is no longer optional. Do not assume you are secure; verify your patch status, audit for compromise, and ensure your ServiceNow environment is protected.