Listen to this Post
Security researchers have uncovered a severe vulnerability in ServiceNow’s Virtual Agent API and Now Assist AI Agents application, tracked as CVE-2025-12420. Dubbed “BodySnatcher,” this flaw allows unauthenticated attackers to impersonate any ServiceNow user using only their email address. The vulnerability completely bypasses multi-factor authentication (MFA) and single sign-on (SSO), giving attackers full access to privileged AI workflows and the ability to create persistent backdoors through malicious administrator accounts.
How BodySnatcher Works
The exploit leverages two critical misconfigurations within ServiceNow’s AI agent infrastructure. First, all ServiceNow instances worldwide ship with the same static client secret hardcoded in AI Agent channel providers, providing a universal bypass token. Second, the platform’s auto-linking mechanism only requires an email address for account association, ignoring MFA requirements.
The attack occurs in two stages:
Initial Request: The attacker sends an HTTP POST request to /api/sn_va_as_service/bot/integration with the shared token servicenowexternalagent and the target’s email. The auto-linking mechanism then connects this request to the legitimate user account.
Malicious Payload: After 8–10 seconds, the attacker sends a follow-up payload to perform actions such as creating users, assigning roles, or resetting passwords. Proof-of-concept tests successfully demonstrated full platform control without SSO authentication or valid credentials.
This flaw effectively bypasses all authentication and affects on-premise deployments globally. Cloud-based ServiceNow customers are reportedly unaffected.
As an immediate mitigation, ServiceNow removed the Record Management AI Agent from default installations, though custom AI agents may still be vulnerable if misconfigured. Organizations are strongly urged to apply patches, enforce MFA for AI agent linking, set mandatory approval workflows via AI Control Tower, and conduct regular audits to detect unused AI agents.
Metric Details
CVE Identifier CVE-2025-12420
Vulnerability Type Broken Authentication & Agentic Hijacking
CVSS Score Critical
Attack Vector Network-based, Unauthenticated
Affected Systems ServiceNow On-Premise (Cloud unaffected)
Authentication Required No
User Interaction Required No
Affected Versions and Patch Timeline
Application Affected Versions Fixed Versions Patch Date
Now Assist AI Agents (sn_aia) 5.0.24 – 5.1.17, 5.2.0 – 5.2.18 5.1.18, 5.2.19 January 2026
Virtual Agent API (sn_va_as_service) ≤ 3.15.1, 4.0.0 – 4.0.3 3.15.2, 4.0.4 January 2026
Organizations running these versions should patch immediately to prevent potential account takeovers and exploitation of AI automation workflows.
What Undercode Say:
The BodySnatcher vulnerability is not just another authentication flaw—it’s a stark reminder of the risks of hardcoded credentials and weak auto-linking logic in AI-powered enterprise tools. ServiceNow’s AI agents, designed for convenience and workflow automation, inadvertently exposed a backdoor that bypassed critical security mechanisms.
Two main lessons emerge:
Static Secrets Are Dangerous: Using identical client secrets across all deployments is a critical security anti-pattern. Attackers can exploit this to compromise entire organizations without touching legitimate credentials.
AI Automation Needs Strong Controls: Auto-linking mechanisms must always enforce MFA and robust approval workflows. Without them, even small misconfigurations become catastrophic vulnerabilities.
From a strategic perspective, enterprises should consider:
Immediate audits of AI agents and custom workflows to ensure no unnecessary privileges exist.
Implementing continuous security testing for AI-driven integrations.
Segregating AI agents from high-value accounts where feasible to reduce potential blast radius.
The incident also highlights the emerging security risks in enterprise AI tools. As organizations increasingly delegate decision-making and administrative tasks to AI, flaws in automation can lead to rapid and widespread compromise. BodySnatcher could have been used not only to hijack accounts but also to manipulate critical IT operations—underscoring the importance of security-first AI deployment.
Fact Checker Results:
✅ Vulnerability is confirmed as critical and affects on-premise ServiceNow only.
✅ Exploit bypasses MFA and SSO, proven via PoC demonstrations.
✅ Patch availability is confirmed for all affected versions as of January 2026.
Prediction:
With BodySnatcher exposed, we can expect heightened scrutiny of AI automation security across enterprise platforms. Attackers are likely to develop variants targeting other AI-based services with similar auto-linking or static credential weaknesses. Companies ignoring these lessons may face rapid privilege escalation and persistent intrusions in months to come. ⚠️
If you want, I can also create a visual attack flow diagram for BodySnatcher that clearly shows how the exploit works from email targeting to admin takeover—it would make this report much more digestible. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
