Critical ‘BodySnatcher’ Vulnerability in ServiceNow Allows Unauthenticated User Impersonation
A significant security flaw, designated as CVE-2025-12420 and dubbed BodySnatcher, has been identified in ServiceNow’s Virtual Agent API and Now Assist AI Agents application. This vulnerability enables unauthenticated attackers to impersonate any user, including administrators, and execute privileged operations remotely.
Discovery and Disclosure
Security researcher Aaron Costello from AppOmni uncovered this critical flaw, which combines a hardcoded platform-wide secret with insecure account-linking logic. This combination allows attackers to bypass multi-factor authentication (MFA), single sign-on (SSO), and other access controls. AppOmni reported the vulnerability to ServiceNow on October 23, 2025. ServiceNow promptly acknowledged the issue and deployed patches by October 30, 2025, rotating provider credentials and removing the powerful Record Management AI agent from customer environments.
Technical Details
The vulnerability exploits two primary design flaws in ServiceNow’s AI agent infrastructure:
1. Universal Authentication Token: AI agent channel providers were shipped with identical authentication tokens across all customer instances, creating a universal authentication bypass.
2. Insecure Auto-Linking Mechanism: The system trusted any requester supplying the shared token along with a valid email address, automatically associating external entities with ServiceNow accounts without requiring MFA.
By chaining these weaknesses through the Virtual Agent API, attackers can impersonate privileged users and execute operations remotely. In proof-of-concept demonstrations, researchers successfully created administrative accounts, assigned elevated privileges, reset passwords, and achieved full platform access without authenticating.
Affected Versions and Applications
The vulnerability impacts the following ServiceNow applications:
– Now Assist AI Agents (sn_aia): Versions 5.0.24 – 5.1.17 and 5.2.0 – 5.2.18.
– Virtual Agent API (sn_va_as_service): Versions ≤ 3.15.1 and 4.0.0 – 4.0.3.
ServiceNow has addressed the vulnerability in the following versions:
– Now Assist AI Agents (sn_aia): Versions 5.1.18 and 5.2.19.
– Virtual Agent API (sn_va_as_service): Versions 3.15.2 and 4.0.4.
Potential Impact
Organizations utilizing ServiceNow’s AI-powered automation features are at risk of exposing sensitive data, including customer information, financial records, healthcare data, and intellectual property. An attacker armed only with a target’s email address can impersonate administrators and leverage AI agents to create backdoor accounts with full system privileges, granting nearly unlimited access to enterprise resources.
Mitigation and Recommendations
ServiceNow has taken the following steps to mitigate the vulnerability:
– Patch Deployment: Released patches by October 30, 2025, rotating provider credentials and removing the Record Management AI agent from customer environments.
– Customer Notifications: Issued notifications and published a knowledge base article (KB2587317) detailing the vulnerability and remediation steps.
Organizations are strongly advised to:
1. Verify Application Versions: Ensure that affected applications have been updated to the fixed versions.
2. Implement Multi-Factor Authentication: Enforce MFA for account-linking processes to enhance security.
3. Review AI Agent Deployments: Establish automated review workflows for AI agent deployments and regularly audit dormant AI agents for deactivation.
4. Utilize AI Control Tower: Leverage the AI Control Tower application to identify unused agents and enforce approval processes before production deployment.
Conclusion
The BodySnatcher vulnerability underscores the critical importance of robust authentication mechanisms and secure design practices in AI-powered platforms. Organizations must remain vigilant, promptly apply security patches, and implement comprehensive security measures to protect against such vulnerabilities.
