User Impersonation Vulnerability in ServiceNow AI Platform
CVE-2025-12420

9.3CRITICAL

Key Information:

Vendor: Servicenow
Status: Now Assist Ai Agents; Virtual Agent Api
Vendor: CVE Published:; 12 January 2026

Badges

📰 News Worthy

What is CVE-2025-12420?

A vulnerability in the ServiceNow AI Platform enables an unauthenticated user to impersonate another user, gaining access to operations that the impersonated user is authorized to perform. ServiceNow has rolled out a security update to address this issue in hosted instances as of October 2025, ensuring that both self-hosted customers and partners receive relevant patches. Immediate application of the recommended security updates or upgrades is advised to mitigate the risks associated with this vulnerability.

Affected Version(s)

Now Assist AI Agents 5.0.26 <= 5.1.17

Now Assist AI Agents 5.0.26 <= 5.2.18

Virtual Agent API 0 < 3.15.2

News Articles

The Hacker News

CVE-2025-12420

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow fixed CVE-2025-12420, a critical flaw that let unauthenticated attackers impersonate users on its AI Platform.

References

https://support.servicenow.com/kb?id=kb_article_view&sysp...

vendor-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by The Hacker News
Jan 13, 2026
Vulnerability published
Jan 12, 2026
Vulnerability Reserved
Oct 28, 2025

Credit

Aaron Costello – AppOmni

CVE-2025-12420 Data

JSON

Servicenow

Badges

What is CVE-2025-12420?

Affected Version(s)

News Articles

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

References

CVSS V4

Timeline

Credit