ServiceNow has patched a critical vulnerability in its AI Platform that allowed unauthenticated users to impersonate others and execute arbitrary actions. The flaw, identified as CVE-2025-12420, had a severe CVSS score of 9.3 out of 10.0, indicating a high risk of exploitation. The company addressed the issue with a security update on October 30, 2025, for most hosted instances and provided patches to partners and self-hosted customers.
The vulnerability, discovered by Aaron Costello, Chief of SaaS Security Research at AppOmni, was reported in October 2025. While ServiceNow has confirmed the fix, there is no current evidence of the vulnerability being exploited in the wild. However, users are strongly advised to apply the necessary security updates promptly to safeguard their systems against potential threats.
ServiceNow AI Platform Vulnerability Addressed
The critical security flaw, CVE-2025-12420, resided within the ServiceNow AI Platform. According to ServiceNow’s advisory, the vulnerability “could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.” This means an attacker could potentially gain unauthorized access to sensitive information and perform actions as if they were a legitimate user, with elevated privileges.
ServiceNow moved swiftly to rectify the situation once the vulnerability was identified. A comprehensive security update was deployed to the majority of its hosted instances, effectively mitigating the risk for a large number of users. Furthermore, the company collaborated with its partners and provided patches to customers who manage their own ServiceNow environments, ensuring a broad application of the fix.
Affected Software Versions and Fixes
The security update specifically addresses CVE-2025-12420 in two key components of the ServiceNow AI Platform: Now Assist AI Agents and the Virtual Agent API. Customers utilizing these services should ensure they are running the following patched versions or later:
- Now Assist AI Agents (sn_aia) – 5.1.18 or later, and 5.2.19 or later
- Virtual Agent API (sn_va_as_service) – 3.15.2 or later, and 4.0.4 or later
Applying these updates is crucial for preventing unauthorized access and potential data breaches. Users are encouraged to verify their current version and apply the relevant patch without delay.
Previous Security Concerns with ServiceNow’s AI Offerings
This recent disclosure follows another significant security revelation regarding ServiceNow’s AI capabilities. Just two months prior to the announcement of CVE-2025-12420, AppOmni had highlighted concerns about potential exploitation of default configurations within ServiceNow’s Now Assist generative AI platform. At that time, malicious actors were reportedly capable of leveraging the platform’s agentic features to execute second-order prompt injection attacks.
These attacks could have allowed unauthorized actions, including the exfiltration of sensitive corporate data, modification of existing records, and escalation of user privileges. The potential for such sophisticated attacks underscores the importance of robust SaaS security practices and diligent oversight of AI platform configurations.
The discovery and subsequent patching of CVE-2025-12420 demonstrate the ongoing efforts by both security researchers and ServiceNow to maintain the integrity of their platform. As AI technologies continue to evolve and integrate into core business processes, the focus on securing these advanced capabilities becomes paramount. Organizations must remain vigilant, regularly update their software, and implement stringent security protocols to protect against emerging threats.
Looking ahead, the successful patching of this critical vulnerability is a positive step. However, the SaaS security landscape is constantly changing, and users of ServiceNow and other AI platforms should anticipate continued diligence in identifying and addressing potential weaknesses. The industry will likely see increased scrutiny on AI functionalities and their associated security implications, with ongoing updates and best practice advisories expected from platform providers and security firms alike.