Driftsprint
Technology

ServiceNow patches critical security flaw which could allow user impersonation

January 14, 2026 5 min read views
ServiceNow patches critical security flaw which could allow user impersonation
  1. Pro
  2. Security
ServiceNow patches critical security flaw which could allow user impersonation News By Sead Fadilpašić published 14 January 2026

It is the most severe AI-driven vulnerability ever found, researchers say

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Representational image of a cybercriminal Image Credit: Pixabay (Image credit: Pixabay) Share Share by:
  • Copy link
  • Facebook
  • X
  • Whatsapp
  • Reddit
  • Pinterest
  • Flipboard
  • Threads
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google
  • ServiceNow patches critical AI Platform flaw (CVE-2025-12420) enabling user impersonation
  • “BodySnatcher” scored 9.3/10 and affected multiple app versions
  • No exploitation seen yet; experts warn unpatched systems remain at risk post-fix

ServiceNow, one of the most popular cloud platforms for automating IT and business workflows, has said it recently patched a critical-severity vulnerability which allowed threat actors to impersonate other users and perform arbitrary actions in their stead.

The company revealed SaaS security outfit AppOmni notified it of a critical privilege escalation vulnerability within its AI Platform in October 2025. Following an investigation, the company started tracking the bug as CVE-2025-12420 and gave it a severity score of 9.3/10 (critical).

“This issue [...] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,” the advisory reads. “On October 30, 2025, ServiceNow addressed this vulnerability by deploying a relevant security update to the majority of hosted instances,” it further stated. “Security updates were also provided to ServiceNow partners and self-hosted customers. Additionally, the vulnerability is addressed in the listed Store App versions.”

You may like
  • A representational concept of a social media network Second-order prompt injection can turn AI into a malicious insider
  • SAP Building SAP fixes serious security issues - here's how to stay safe
  • AI writer This WebUI vulnerability allows remote code execution - here's how to stay safe

Biggest bug ever?

The patches were released for these versions:

Now Assist AI Agents (sn_aia) - 5.1.18 or later and 5.2.19 or later

Virtual Agent API (sn_va_as_service) - 3.15.2 or later and 4.0.4 or later

So far, there is no evidence that the vulnerability is being abused in the wild. However, it’s not unusual for a bug to start being exploited only after the release of a fix. Many cybercriminals don’t have the knowledge or the resources to hunt for zero-days, and instead just rely on the fact that many businesses fail to patch their software on time.

Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

AppOmni, who discovered the flaw, dubbed it “BodySnatcher”.

"BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively 'remote controlled' an organization's AI, weaponizing the very tools meant to simplify the enterprise," a researcher told The Hacker News.

Via The Hacker News

Best antivirus software headerThe best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS AI Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more A representational concept of a social media network Second-order prompt injection can turn AI into a malicious insider    SAP Building SAP fixes serious security issues - here's how to stay safe    AI writer This WebUI vulnerability allows remote code execution - here's how to stay safe    Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration. HPE tells customers to patch OneView immediately as top-level security flaw spotted    Password recovery concept image showing man typing on a keyboard with an overlay imitating password recovery and data recovery principles Thousands of n8n instances under threat from top security issue    Close up of a person touching an email icon. This SmarterMail vulnerability allows Remote Code Execution - here's what we know    Latest in Security Representational image depecting cybersecurity protection Experts warn this new Chinese Linux malware could be preparing something seriously worrying    Password recovery concept image showing man typing on a keyboard with an overlay imitating password recovery and data recovery principles Thousands of n8n instances under threat from top security issue    World Password Day 2025 US government told to patch high-severity Gogs security issue or face attack    Target store checkout line and logo Hackers claim to have Target source code for sale following recent cyberattack    Representational image depecting cybersecurity protection Spanish energy giant Endesa says it was hit by data breach, customers affected and 20 million files allegedly put up for sale    Concept art representing cybersecurity principles Businesses are finally taking action to crack down on AI security risks    Latest in News Screen shots of Spotify's search hub and Made For You hub Spotify claims it's not forcing AI-generated music onto listeners.    Representational image of a cybercriminal ServiceNow patches critical security flaw which could allow user impersonation    An Nvidia RTX 5060 held in a masculine hand Nvidia could pivot away from RTX 5070 Ti and 5060 Ti 16GB to favor 8GB GPUs    A screenshot of the Fender Play app on a Samsung TV Fender's Play platform is coming to Samsung TVs everywhere – grab your axe by summer 2026    In Sonic Racing: CrossWorlds, Sonic poses to the camera while driving towards the titular kraken of the Kraken Bay circuit Sega ditches Nintendo's controversial Game-Key Cards for Sonic Racing: CrossWorlds' physical Switch 2 release    Data center "We will set a high bar" - Microsoft reveals multiple new data centers, and promises your energy bills won't go up to pay for them    LATEST ARTICLES
  1. 1ServiceNow patches critical security flaw which could allow user impersonation
  2. 2Docusign wants to use AI to turn your complex contracts into plain English
  3. 3Experts warn this new Chinese Linux malware could be preparing something seriously worrying
  4. 4The RAM shortage claims another victim as PS5 SSD prices rocket — here's why now is the worst time to buy and what to do instead
  5. 5Spotify claims it's not forcing AI-generated music onto listeners.

Related Articles