ServiceNow has resolved a critical security vulnerability within its AI platform that, if exploited, could have allowed unauthorized individuals to impersonate legitimate users and execute improper actions. The company disclosed the issue, designated CVE-2025-12420, on Monday. This ServiceNow security flaw, carrying a severity score of 9.3 out of 10, was identified by the SaaS security firm AppOmni in October.
ServiceNow addressed the vulnerability by deploying fixes to most hosted instances on October 30, 2025. The company also provided patches to partners and customers operating self-hosted environments. According to ServiceNow, there is currently no evidence to suggest that the vulnerability was exploited prior to the implementation of these fixes. The affected components include Now Assist AI Agents and the Virtual Agent API.
ServiceNow Fixes Critical AI Security Vulnerability
Customers utilizing the affected versions of these components are strongly advised to upgrade to the patched releases. Specifically, Now Assist AI Agents versions 5.1.18 and 5.2.19, along with Virtual Agent API versions 3.15.2 and 4.0.4, are among the releases that incorporate the necessary security updates.
Prompt Injection Risks in Enterprise AI
The disclosure of this vulnerability coincides with growing concerns among security professionals regarding the configuration and deployment practices of enterprise AI systems. AppOmni’s research, which discovered CVE-2025-12420, also highlighted potential security risks stemming from the default settings in ServiceNow’s Now Assist platform. These settings could potentially enable second-order prompt injection attacks.
Second-order prompt injection is a sophisticated attack that manipulates AI agents not through direct user input, but by influencing the data those agents process. This exploit method is particularly concerning for enterprise AI where data flows are complex and interconnected.
Researchers found that a feature called “agent discovery,” designed to allow AI agents to collaborate on complex tasks, can become an attack vector if not configured with proper access controls. By improperly grouping agents or failing to implement adequate safeguards, organizations can inadvertently create pathways for malicious activity.
In controlled tests, researchers demonstrated how users with low-level privileges could embed malicious instructions within data fields. When AI agents belonging to higher-privileged users processed this compromised data, the agents could then be manipulated to recruit other, more powerful agents. This cascade effect could lead to unauthorized data access, modifications, or even privilege escalation.
These attacks proved successful even when ServiceNow’s built-in prompt injection protection features were enabled. This suggests that configuration choices can significantly undermine the security controls inherent in AI platforms. The researchers noted that the default settings would automatically group agents into discoverable teams, creating unintended opportunities for collaboration that attackers could exploit.
The findings from AppOmni’s research underscore a critical challenge in implementing enterprise AI: security is not solely dependent on the underlying technology but also heavily relies on an organization’s specific configuration and ongoing management of these systems. ServiceNow has acknowledged these findings, stating that the observed behaviors were intentional design choices and has updated its documentation to provide clearer guidance on configuration options for its service management solutions.
Organizations utilizing ServiceNow’s AI platform must now navigate the balance between empowering autonomous agent capabilities and mitigating potential security risks. The research suggests several proactive measures, including requiring human oversight for agents with elevated permissions, segmenting agents into isolated teams based on their functions, and diligently monitoring agent activity for any deviations from expected operational patterns.
Further details regarding this vulnerability and its resolution can be found on the ServiceNow official website. The next steps for organizations will involve reviewing and updating their AI agent configurations to implement the recommended security practices and ensure robust protection against emergent threats.