1. Forum
  2. tqwNet
  3. TQW GENTECH

  • ServiceNow patches critical security flaw which could allow user

    From TechnologyDaily@1337:1/100 to All on Wed Jan 14 15:00:09 2026
    ServiceNow patches critical security flaw which could allow user impersonation

    Date:
    Wed, 14 Jan 2026 14:45:23 +0000

    Description:
    The bug is dubbed "BodySnatcher" and was given a severity score of 9.3/10.

    FULL STORY ======================================================================ServiceN ow patches critical AI Platform flaw (CVE-2025-12420) enabling user impersonation BodySnatcher scored 9.3/10 and affected multiple app versions
    No exploitation seen yet; experts warn unpatched systems remain at risk post-fix

    ServiceNow, one of the most popular cloud platforms for automating IT and business workflows, has said it recently patched a critical-severity vulnerability which allowed threat actors to impersonate other users and perform arbitrary actions in their stead.

    The company revealed SaaS security outfit AppOmni notified it of a critical privilege escalation vulnerability within its AI Platform in October 2025. Following an investigation, the company started tracking the bug as CVE-2025-12420 and gave it a severity score of 9.3/10 (critical).

    This issue [...] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform, the advisory reads. On October 30, 2025, ServiceNow addressed this vulnerability by deploying a relevant security update to the majority of hosted instances, it further stated. Security updates were also provided to ServiceNow partners and self-hosted customers. Additionally, the
    vulnerability is addressed in the listed Store App versions. Biggest bug
    ever?

    The patches were released for these versions:

    Now Assist AI Agents (sn_aia) - 5.1.18 or later and 5.2.19 or later

    Virtual Agent API (sn_va_as_service) - 3.15.2 or later and 4.0.4 or later

    So far, there is no evidence that the vulnerability is being abused in the wild. However, its not unusual for a bug to start being exploited only after the release of a fix. Many cybercriminals dont have the knowledge or the resources to hunt for zero-days, and instead just rely on the fact that many businesses fail to patch their software on time.

    AppOmni, who discovered the flaw, dubbed it BodySnatcher.

    "BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively 'remote controlled' an organization's AI, weaponizing the very tools meant to simplify the enterprise," a researcher told The Hacker News .

    Via The Hacker News

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/servicenow-patches-critical-security-fl aw-which-could-allow-user-impersonation


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)