Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

BodySnatcher unauthenticated impersonation in ServiceNow AI Platform

IdentifiersCVE-2025-12420CWE-287Also known asbodysnatcher

CVE-2025-12420 is a critical vulnerability in the ServiceNow AI Platform, dubbed "BodySnatcher," that allows an unauthenticated attacker to impersonate another ServiceNow user and perform operations with that user’s entitlements. The issue affects the Now Assist AI Agents (sn_aia) and Virtual Agent API (sn_va_as_service) components. Supporting reporting attributes the flaw to failed authentication and identity-linking checks in AI/Virtual Agent provider flows, including insecure provider configuration using a shared Message Auth secret and account-linking logic that trusted an email address for identity association. In the described exploit chain, an attacker can interact with the Virtual Agent API without valid credentials, cause the platform to associate the session with a victim account, and then invoke AI-agent workflows as that user. Public research further states this could be used to trigger internal agent-execution topics and abuse shipped agent capabilities to perform privileged actions.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables unauthenticated user impersonation and privilege escalation. An attacker can perform any operation the impersonated user is authorized to perform within the affected ServiceNow AI Platform context, including access to data, execution of AI-agent workflows, record creation or modification, configuration changes, and potentially administrative takeover if a highly privileged account or powerful agent workflow is abused. Public reporting states MFA and SSO protections may be bypassed in the vulnerable account-linking flow. Although ServiceNow stated it had no evidence of in-the-wild exploitation at disclosure time, the vulnerability is critical and remotely exploitable.

Mitigation

If you can’t patch tonight, do this now.

If patching cannot be completed immediately, reduce exposure by restricting unauthenticated access to affected ServiceNow AI Platform and Virtual Agent endpoints, especially the Virtual Agent API, through IP allowlisting, VPN-only access, reverse-proxy/WAF controls, and network segmentation. Review and disable or limit exposed AI-agent providers/channels not strictly required, rotate any provider credentials/secrets, and audit account-linking/provider configurations for email-only trust relationships. Monitor for anomalous impersonation behavior, unexpected Virtual Agent API usage, suspicious AI-agent invocations, and unauthorized record or role changes. Enforce least privilege for accounts and AI agents, and review deployed agent capabilities for excessive permissions.

Remediation

Patch, then assume compromise.

Apply ServiceNow’s security updates and upgrade affected Store Apps to fixed versions. For Now Assist AI Agents (sn_aia), upgrade to 5.1.18 or later, or 5.2.19 or later. For Virtual Agent API (sn_va_as_service), upgrade to 3.15.2 or later, or 4.0.4 or later. Hosted instances received ServiceNow-deployed updates beginning in October 2025; self-hosted customers, partners, and hosted customers with unique configurations should apply the vendor-provided updates referenced in ServiceNow’s advisory/KB guidance. Ensure the October 2025 AI security maintenance updates are fully applied across all affected environments.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ServicenowAi Platformapplication
ServicenowNow Assist Ai Agentsapplication
ServicenowServicenow Ai Platformapplication
ServicenowVirtual Agent Apiapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

68 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

68 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

ServiceNow AI Platform unauthenticated user impersonation vulnerability enabling arbitrary actions as another user.

Read more
the hacker newsNews
Jan 19, 2026
⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

Unknown

Read more
scworldNews
Jan 15, 2026
ServiceNow patches critical AI Platform vulnerability enabling user impersonation | SC Media

A critical ServiceNow AI Platform vulnerability that could allow an unauthenticated attacker to impersonate another user and execute arbitrary actions within the victim’s entitled scope (account impersonation leading to unauthorized actions).

Read more
techradarNews
Jan 14, 2026
ServiceNow patches critical security flaw which could allow user impersonation | TechRadar

A critical privilege-escalation / user-impersonation vulnerability in ServiceNow AI Platform that could allow an unauthenticated attacker to impersonate other users and perform actions with the victim’s entitlements.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity53

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-12420
NVD
nvd.nist.gov/vuln/detail/CVE-2025-12420
MITRE CWE · CWE-287
cwe.mitre.org
Vendor Advisory
support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329