{“lastseen”:”2026-01-13T11:58:31″,”description”:”\\n\\nServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.\\n\\nThe vulnerability, tracked as **CVE-2025-12420** , carries a CVSS score of 9.3 out of 10.0\\n\\n\\”This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,\\” the company said in an advisory released Monday.\\n\\nThe shortcoming was addressed by ServiceNow on October 30, 2025, by deploying a security update to the majority of hosted instances, with the company also sharing the patches with ServiceNow partners and self-hosted customers.\\n\\n\\n\\nThe following versions include a fix for CVE-2025-12420 -\\n\\n * Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later\\n * Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later\\n\\n\\n\\nServiceNow credited Aaron Costello, chief of SaaS Security Research at AppOmni, with discovering and reporting the flaw in October 2025. While there is no evidence that the vulnerability has been exploited in the wild, users are advised to apply an appropriate security update as soon as possible to mitigate potential threats.\\n\\nThe disclosure comes nearly two months after AppOmni revealed that malicious actors can exploit default configurations in ServiceNow’s Now Assist generative artificial intelligence (AI) platform and leverage its agentic capabilities to conduct second-order prompt injection attacks.\\n\\nThe issue could then be weaponized to execute unauthorized actions, enabling attackers to copy and exfiltrate sensitive corporate data, modify records, and escalate privileges.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-01-13T11:47:00″,”modified”:”2026-01-13T11:47:21″,”type”:”thn”,”title”:”ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation”,”source”:””,”references”:””,”id”:”THN:8B1A10CBEF402ACDA8F8CAD214905C3D”,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2025-12420″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:H\/VI:H\/SI:H\/VA:H\/SA:H\/E:P\/S:N\/AU:Y\/U:Amber\/R:U\/V:C\/RE:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/01\/servicenow-patches-critical-ai-platform.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-13T11:58:31″,”description”:”\\n\\nServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,43,5],"class_list":["post-35247","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n