CVE-2025-12420 is a critical (CVSS 9.3) vulnerability in the ServiceNow AI Platform that can allow a remote, unauthenticated attacker to impersonate another user and then perform actions permitted to that user.
The issue can be triggered via the ServiceNow Virtual Agent API and Now Assist AI Agents, where an attacker may only need a target user’s email address to drive privileged workflows and potentially create persistence (e.g., new privileged accounts), depending on configuration and entitlements.
What’s affected
This CVE is associated with specific ServiceNow Store applications (not just the base platform). AppOmni’s published research lists affected app ranges and fixed versions as follows:
- Now Assist AI Agents (sn_aia)
- Affected: 5.0.24 – 5.1.17, and 5.2.0 – 5.2.18
- Fixed: 5.1.18+ and 5.2.19+
- Affected: 5.0.24 – 5.1.17, and 5.2.0 – 5.2.18
- Virtual Agent API (sn_va_as_service)
- Affected: ≤ 3.15.1 and 4.0.0 – 4.0.3
- Fixed: 3.15.2+ and 4.0.4+
- Affected: ≤ 3.15.1 and 4.0.0 – 4.0.3
Hosted vs self-hosted: ServiceNow states the issue was addressed for hosted instances via an update deployed in October 2025, and updates were also provided to self-hosted customers/partners (including cases with unique configurations).
Impact
Successful exploitation of CVE-2025-12420 allows an unauthenticated attacker to impersonate arbitrary users within the ServiceNow AI Platform, including highly privileged accounts. Once impersonation is achieved, the attacker can perform any action available to the compromised identity, such as accessing sensitive records, modifying configurations, creating or elevating user accounts, or triggering automated workflows.
Because the attack abuses trusted platform components rather than traditional authentication flows, these actions may occur without standard interactive login indicators and can bypass controls like MFA or SSO in certain configurations.
The risk is significantly elevated in environments where ServiceNow Virtual Agent is exposed through external channels (such as Microsoft Teams or Slack) or where internet-facing API access is permitted.
Recommended Actions
1. Identify exposure and patch status
- Confirm whether you have sn_aia and/or sn_va_as_service installed.
- Verify their versions. If within affected ranges, upgrade to the fixed versions listed above.
2. Reduce external attack surface
- If your Virtual Agent API is reachable from the internet, restrict it through IP allowlisting, private connectivity/VPN, WAF/API gateway policies.
- Review integrations that allow Virtual Agent conversations from third-party platforms to ensure only expected tenants/workspaces can reach the API.
Stay Safe. Stay Secure
OP Innovate Research Team
