CVE-2025-11450 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, found in the ServiceNow AI Platform. This vulnerability arises due to improper neutralization of user-supplied input during web page generation, allowing malicious actors to inject and execute arbitrary JavaScript code in the context of a victim's browser. The attack vector involves an unauthenticated attacker crafting a malicious URL that, when clicked by a legitimate ServiceNow user, executes arbitrary code within their browser session. This can lead to theft of session tokens, unauthorized actions on behalf of the user, or redirection to malicious sites. The vulnerability does not require privileges or prior authentication but does require user interaction. ServiceNow has addressed the issue by deploying security updates across most hosted instances and providing patches to self-hosted customers and partners. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and no impact on confidentiality, integrity, or availability directly (VC:N/VI:N/VA:N), but with a scope change (S:I) indicating the vulnerability affects components beyond the initially vulnerable one. No known exploits are currently reported in the wild, but the medium severity score of 5.3 reflects the potential risk if exploited.

For European organizations, the impact of this vulnerability can be significant, especially for those heavily reliant on the ServiceNow AI Platform for IT service management, workflow automation, and business processes. Successful exploitation could lead to session hijacking, unauthorized access to sensitive data, and potential lateral movement within corporate networks. This poses risks to confidentiality and integrity of organizational data. While availability is not directly impacted, the indirect consequences of compromised user accounts or data leakage could disrupt operations and damage trust. Sectors such as finance, healthcare, government, and critical infrastructure in Europe are particularly sensitive due to the regulatory environment (e.g., GDPR) and the high value of the data processed. The requirement for user interaction (clicking a malicious link) means phishing campaigns could be a likely exploitation vector, increasing the risk in environments with less user awareness or insufficient email security controls.

European organizations should immediately verify their ServiceNow AI Platform deployment versions and apply the latest security updates or patches provided by ServiceNow. For self-hosted or uniquely configured instances, coordinate with ServiceNow support to ensure all relevant fixes are applied. Implement robust email filtering and anti-phishing solutions to reduce the likelihood of users receiving malicious links. Conduct user awareness training focused on recognizing and avoiding suspicious URLs and phishing attempts. Employ Content Security Policy (CSP) headers and other browser security mechanisms to mitigate the impact of potential XSS attacks. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. Consider implementing multi-factor authentication (MFA) on ServiceNow accounts to reduce the risk of session hijacking. Regularly review and tighten access controls and session management policies within the ServiceNow environment to limit potential damage from compromised sessions.