ServiceNow disclosed a critical security vulnerability identified as CVE-2025-12420 in its AI Platform, specifically impacting Now Assist AI Agents (sn_aia) and Virtual Agent API (sn_va_as_service) components. This flaw allowed unauthenticated attackers to impersonate any user and execute arbitrary actions with the impersonated user's privileges, effectively bypassing authentication controls. The vulnerability scored 9.3/10 on the CVSS scale, reflecting its critical nature. The root cause involved insufficient validation or access control in the AI platform's user impersonation mechanisms, potentially exacerbated by the agentic capabilities of the generative AI features. The flaw was responsibly disclosed by Aaron Costello of AppOmni in October 2025 and patched by ServiceNow by October 30, 2025, with updates released for hosted instances and patches shared with partners and self-hosted customers. Exploitation could enable attackers to exfiltrate sensitive corporate data, modify records, and escalate privileges, posing significant risks to confidentiality, integrity, and availability. This vulnerability follows prior findings where default configurations in ServiceNow's AI platform allowed second-order prompt injection attacks, indicating a broader risk profile in AI-powered SaaS environments. No evidence of exploitation in the wild has been reported yet, but the potential for damage is high given the platform's widespread use in enterprise IT service management and automation.

For European organizations, the impact of this vulnerability is substantial. ServiceNow is widely adopted across Europe for IT service management, HR workflows, and business process automation, often integrated with sensitive corporate data and critical operational systems. An attacker exploiting this flaw could impersonate privileged users, leading to unauthorized data access, manipulation of business records, disruption of workflows, and potential lateral movement within corporate networks. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. The AI platform's agentic capabilities increase the risk by enabling automated execution of malicious commands once impersonation is achieved. Organizations in sectors such as finance, healthcare, government, and critical infrastructure are particularly vulnerable due to the sensitivity and regulatory requirements of their data. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of targeted attacks or opportunistic exploitation if patches are not applied promptly.

European organizations should immediately verify their ServiceNow AI platform versions and apply the security patches released on or after October 30, 2025, specifically versions 5.1.18 or later and 5.2.19 or later for Now Assist AI Agents, and 3.15.2 or later and 4.0.4 or later for Virtual Agent API. Beyond patching, organizations should audit and harden AI platform configurations to minimize default or overly permissive settings, particularly those enabling agentic AI actions. Implement strict role-based access controls and monitor impersonation or privilege escalation attempts via logging and anomaly detection. Conduct thorough security reviews of AI-driven workflows to identify potential injection or command execution vectors. Engage in continuous threat hunting focused on AI platform logs and unusual user behavior. Coordinate with ServiceNow support and partners to ensure all instances, including self-hosted environments, are updated. Finally, integrate AI platform security into broader SaaS risk management and zero trust strategies to reduce attack surface and improve detection capabilities.