User Impersonation Vulnerability in ServiceNow AI Platform
CVE-2025-12420

9.3CRITICAL

Key Information:

Vendor

Servicenow

Status
Now Assist Ai Agents
Virtual Agent Api
Vendor
CVE Published:
12 January 2026

Badges

πŸ“° News Worthy

What is CVE-2025-12420?

A vulnerability in the ServiceNow AI Platform enables an unauthenticated user to impersonate another user, gaining access to operations that the impersonated user is authorized to perform. ServiceNow has rolled out a security update to address this issue in hosted instances as of October 2025, ensuring that both self-hosted customers and partners receive relevant patches. Immediate application of the recommended security updates or upgrades is advised to mitigate the risks associated with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Now Assist AI Agents 5.0.26 <= 5.1.17

Now Assist AI Agents 5.0.26 <= 5.2.18

Virtual Agent API 0 < 3.15.2

News Articles

favicon imageThe Hacker News

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow fixed CVE-2025-12420, a critical flaw that let unauthenticated attackers impersonate users on its AI Platform.

4 weeks ago

References

https://support.servicenow.com/kb?id=kb_article_view&sysp...
vendor-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aaron Costello – AppOmni
JSON
.