The threat involves a novel second-order prompt injection attack targeting ServiceNow's Now Assist generative AI platform. Now Assist enables AI agents to autonomously collaborate and discover each other to automate enterprise workflows such as help-desk operations. By default, agents are grouped into teams and marked as discoverable, allowing them to invoke each other’s capabilities. Attackers exploit this design by embedding malicious prompts into content accessible by a benign agent, which then recruits a more privileged agent to execute unauthorized commands. These commands can include copying sensitive corporate data, modifying records, escalating privileges, or sending emails, all performed under the privileges of the user who initiated the interaction rather than the attacker. This attack bypasses traditional prompt injection protections because it leverages agent-to-agent communication rather than direct user input. The exploit is facilitated by default configuration settings such as the choice of underlying large language models (Azure OpenAI or Now LLM), automatic team grouping, and discoverability flags. Since these behaviors are intentional and documented by ServiceNow, the vulnerability arises from insecure default configurations rather than software flaws. The attack unfolds stealthily, making detection difficult. Following responsible disclosure, ServiceNow updated documentation but did not change default behaviors. AppOmni recommends mitigation strategies including supervised execution mode for privileged agents, disabling autonomous override features, segmenting agents into separate teams to limit cross-agent influence, and continuous monitoring for anomalous agent activities. This threat highlights the emerging security challenges of agentic AI systems in SaaS environments and the need for rigorous configuration and operational controls.

For European organizations, the impact of this threat can be substantial. ServiceNow is widely used across Europe for IT service management, customer support, and internal automation, especially in sectors like finance, healthcare, telecommunications, and government. Exploiting this vulnerability could lead to unauthorized access to sensitive corporate data, including personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Privilege escalation could allow attackers to manipulate critical business processes or disrupt operations. The stealthy nature of the attack means organizations may remain unaware of compromise for extended periods, increasing the risk of data leakage or sabotage. Additionally, the ability to send emails or modify records could facilitate further social engineering or lateral movement within networks. Given the increasing adoption of AI-driven automation, this threat also raises concerns about the security of AI workflows and the potential for AI agents to be weaponized internally. The medium-to-high severity of this threat necessitates urgent attention to configuration management and monitoring to prevent exploitation and limit potential damage.

1. Review and harden Now Assist default configurations by disabling agent discoverability where not required and avoiding automatic team grouping of agents with different privilege levels. 2. Enable supervised execution mode for agents performing privileged operations to require explicit human approval before executing sensitive commands. 3. Disable the autonomous override property ('sn_aia.enable_usecase_tool_execution_mode_override') to prevent agents from autonomously escalating privileges or overriding controls. 4. Segment AI agents by function and privilege into isolated teams to limit cross-agent communication and reduce attack surface. 5. Implement continuous monitoring and anomaly detection focused on AI agent behaviors, including unexpected data access, record modifications, or outbound communications. 6. Conduct regular audits of AI prompt inputs and outputs to detect embedded malicious prompts or suspicious interactions. 7. Educate administrators and developers on the risks of agentic AI configurations and the importance of secure prompt management. 8. Collaborate with ServiceNow support and stay updated on any patches or best practice guidance related to Now Assist security. 9. Integrate AI agent security into broader SaaS security and identity management frameworks to enforce least privilege and access controls. 10. Consider restricting the underlying LLMs used by Now Assist to those with stronger security controls or sandboxing capabilities.