CVE-2025-11449 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, found in the ServiceNow AI Platform. This vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject malicious scripts into web pages viewed by other users. Specifically, when a ServiceNow user clicks on a specially crafted URL containing malicious payloads, the injected script executes within their browser context. This can lead to arbitrary code execution, enabling attackers to steal session tokens, perform actions on behalf of the user, or redirect users to malicious sites. The vulnerability does not require any authentication or privileges and only requires user interaction (clicking the malicious link). ServiceNow has addressed this issue by deploying security updates to most hosted instances and providing patches for self-hosted and uniquely configured environments. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and no impact on confidentiality, integrity, or availability (VC:N/VI:N/VA:N), resulting in a medium severity score of 5.3. No known exploits have been reported in the wild as of the publication date. Organizations using the ServiceNow AI Platform should promptly apply the provided patches or upgrade to the fixed versions to prevent exploitation.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions within the ServiceNow AI Platform. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, unauthorized actions, or data exfiltration. Given ServiceNow's widespread use in IT service management, HR, and security operations across Europe, exploitation could disrupt critical business workflows and expose sensitive organizational data. Although the vulnerability does not directly affect system availability or require elevated privileges, the client-side impact can facilitate further attacks such as phishing or lateral movement within corporate networks. The medium severity rating reflects the need for timely remediation to prevent exploitation, especially in environments where users are likely to receive external links or emails. The lack of known active exploits reduces immediate risk but does not eliminate the potential for future attacks. Organizations with extensive ServiceNow deployments, particularly those integrated with sensitive business processes, face higher impact risks.

European organizations should immediately verify their ServiceNow AI Platform deployment versions and apply the latest security updates or patches provided by ServiceNow. For self-hosted or uniquely configured instances, coordinate with ServiceNow support to obtain and deploy relevant hotfixes. Implement web filtering and email security controls to detect and block malicious URLs that could exploit this XSS vulnerability. Educate users about the risks of clicking unsolicited or suspicious links, especially those purporting to be related to ServiceNow services. Employ Content Security Policy (CSP) headers where possible to restrict the execution of unauthorized scripts within the ServiceNow web environment. Regularly audit and monitor ServiceNow logs for unusual access patterns or suspicious activities indicative of attempted exploitation. Consider deploying browser security extensions or endpoint protection that can detect and block XSS attacks. Finally, maintain an incident response plan to quickly address any suspected compromise resulting from this vulnerability.