CVE-2025-11450 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the ServiceNow AI Platform. This vulnerability arises from improper neutralization of user input during web page generation, allowing attackers to inject malicious scripts into URLs or web requests. When a user clicks a specially crafted link, the malicious script executes in their browser context, potentially enabling theft of session tokens, redirection to malicious sites, or unauthorized actions performed on behalf of the user. The vulnerability requires no authentication or privileges and can be exploited remotely with low attack complexity, but does require user interaction (clicking the link). ServiceNow has addressed the issue by deploying security updates to most hosted instances and providing patches for self-hosted and uniquely configured customers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) reflects network attack vector, low complexity, no privileges or authentication required, user interaction needed, and limited scope impact confined to the vulnerable component. No known exploits in the wild have been reported to date. The vulnerability primarily threatens confidentiality and integrity by enabling script execution in the victim’s browser, which could lead to session hijacking or unauthorized actions within the ServiceNow platform interface. Given ServiceNow’s widespread use in IT service management and enterprise workflows, this vulnerability poses a risk to organizations relying on the platform for critical business processes.

For European organizations, this vulnerability could lead to compromise of user sessions and unauthorized access to sensitive workflows managed through the ServiceNow AI Platform. Attackers exploiting this XSS flaw could steal authentication tokens, manipulate data, or perform actions impersonating legitimate users, potentially disrupting IT service management and business operations. The impact is particularly significant for organizations in sectors such as finance, healthcare, government, and critical infrastructure, where ServiceNow is commonly used for incident management and compliance workflows. The reflected XSS nature means phishing or social engineering campaigns could be used to lure users into clicking malicious links, increasing the attack surface. While the vulnerability does not directly affect availability, the resulting unauthorized actions could indirectly cause operational disruptions. The medium CVSS score reflects moderate risk, but the broad adoption of ServiceNow in Europe elevates the potential impact if left unpatched.

European organizations should immediately verify their ServiceNow AI Platform deployment version and apply the latest security updates or patches provided by ServiceNow. For self-hosted or uniquely configured instances, coordinate with ServiceNow support to ensure all relevant fixes are applied. Implement strict input validation and output encoding on any custom integrations or extensions interacting with the platform to reduce XSS risks. Educate users to be cautious about clicking links from untrusted sources, especially those purporting to be from internal IT or ServiceNow communications. Employ web application firewalls (WAFs) with rules targeting reflected XSS patterns to provide an additional layer of defense. Monitor logs and user activity for signs of suspicious behavior or unauthorized actions that could indicate exploitation attempts. Regularly review and update security policies related to phishing awareness and incident response to quickly contain potential breaches stemming from this vulnerability.