EXECUTIVE SUMMARY:
A critical vulnerability CVE‑2025‑12420 in the ServiceNow AI Platform can allow an unauthenticated attacker to impersonate any legitimate user and perform all actions that user is authorized to do, effectively enabling severe privilege escalation and unauthorized access to sensitive workflows and data. The flaw exists due to improper authentication checks in the affected AI components, allowing remote attackers to bypass normal identity verification and assume the identity of other users without credentials. Exploitation could lead to unauthorized changes, data theft, manipulation of automated processes, and broader compromise of enterprise IT service management infrastructure. ServiceNow has released security updates addressing this issue for hosted instances and provided patches for self‑hosted deployments and related Store Apps; organizations using the impacted AI modules must apply these updates promptly and audit access control configurations to mitigate risk and prevent exploitation in their environments. The vulnerability has a CVSS score of 9.3.
RECOMMENDATION:
We strongly recommend you update ServiceNow AI Platform to below version:
REFERENCES:
The following reports contain further technical details: