Jan 13
/
Latest News
Critical 'BodySnatcher' Flaw in ServiceNow AI Allowed Unchecked User Impersonation
ServiceNow has disclosed details regarding a critical security vulnerability within its artificial intelligence platform that potentially allowed unauthenticated attackers to impersonate users and perform arbitrary actions.
The flaw, assigned the identifier CVE-2025-12420 and carrying a near-maximum CVSS severity score of 9.3, was discovered by security researchers at AppOmni, who dubbed the exploit "BodySnatcher." According to an advisory released on Monday, the vulnerability could enable a threat actor to assume the identity of a legitimate user and execute operations within the limits of that user’s entitlements without requiring valid credentials.
In a technical breakdown of the issue, AppOmni revealed that the flaw resided within the Virtual Agent integration. Researchers found that attackers could leverage a hardcoded, platform-wide secret combined with specific account-linking logic to impersonate any ServiceNow user—including administrators—using only a target's email address. This exploitation method effectively bypassed robust security perimeters, including multi-factor authentication (MFA) and single sign-on (SSO) protections. Successful exploitation would allow an intruder to remotely drive privileged AI agent workflows, potentially subverting security controls and creating backdoor accounts with elevated privileges.
Aaron Costello, chief of SaaS Security Research at AppOmni, who is credited with discovering and reporting the issue in October 2025, emphasized the unique severity of the bug. "BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively 'remote controlled' an organization's AI, weaponizing the very tools meant to simplify the enterprise," Costello told reporters. He further explained that by linking these weaknesses, an attacker could remotely execute agentic workflows as any user, turning the AI against the organization it was meant to serve.
ServiceNow addressed the shortcoming on October 30, 2025, by deploying a security update to the vast majority of its hosted instances. The company has also shared patches with its partners and self-hosted customers. The specific versions containing the fix are Now Assist AI Agents (versions 5.1.18 or later and 5.2.19 or later) and the Virtual Agent API (versions 3.15.2 or later and 4.0.4 or later). While ServiceNow stated there is currently no evidence that the vulnerability has been exploited in the wild, organizations managing self-hosted instances are strongly advised to apply the appropriate security updates immediately to mitigate potential threats.
This disclosure arrives nearly two months after AppOmni revealed a separate issue involving default configurations in ServiceNow’s Now Assist generative AI platform, which allowed for second-order prompt injection attacks. That previous vulnerability could be weaponized to exfiltrate sensitive corporate data, modify records, or escalate privileges. The discovery of BodySnatcher underscores the growing necessity for rigorous security scrutiny as enterprises continue to integrate complex, agentic AI capabilities into their core infrastructure.
The flaw, assigned the identifier CVE-2025-12420 and carrying a near-maximum CVSS severity score of 9.3, was discovered by security researchers at AppOmni, who dubbed the exploit "BodySnatcher." According to an advisory released on Monday, the vulnerability could enable a threat actor to assume the identity of a legitimate user and execute operations within the limits of that user’s entitlements without requiring valid credentials.
In a technical breakdown of the issue, AppOmni revealed that the flaw resided within the Virtual Agent integration. Researchers found that attackers could leverage a hardcoded, platform-wide secret combined with specific account-linking logic to impersonate any ServiceNow user—including administrators—using only a target's email address. This exploitation method effectively bypassed robust security perimeters, including multi-factor authentication (MFA) and single sign-on (SSO) protections. Successful exploitation would allow an intruder to remotely drive privileged AI agent workflows, potentially subverting security controls and creating backdoor accounts with elevated privileges.
Aaron Costello, chief of SaaS Security Research at AppOmni, who is credited with discovering and reporting the issue in October 2025, emphasized the unique severity of the bug. "BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively 'remote controlled' an organization's AI, weaponizing the very tools meant to simplify the enterprise," Costello told reporters. He further explained that by linking these weaknesses, an attacker could remotely execute agentic workflows as any user, turning the AI against the organization it was meant to serve.
ServiceNow addressed the shortcoming on October 30, 2025, by deploying a security update to the vast majority of its hosted instances. The company has also shared patches with its partners and self-hosted customers. The specific versions containing the fix are Now Assist AI Agents (versions 5.1.18 or later and 5.2.19 or later) and the Virtual Agent API (versions 3.15.2 or later and 4.0.4 or later). While ServiceNow stated there is currently no evidence that the vulnerability has been exploited in the wild, organizations managing self-hosted instances are strongly advised to apply the appropriate security updates immediately to mitigate potential threats.
This disclosure arrives nearly two months after AppOmni revealed a separate issue involving default configurations in ServiceNow’s Now Assist generative AI platform, which allowed for second-order prompt injection attacks. That previous vulnerability could be weaponized to exfiltrate sensitive corporate data, modify records, or escalate privileges. The discovery of BodySnatcher underscores the growing necessity for rigorous security scrutiny as enterprises continue to integrate complex, agentic AI capabilities into their core infrastructure.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.