Full Report
The company says it has no evidence the bug was exploited before October’s patch, but researchers say AI agent configuration can still enable prompt-injection style abuse. The post ServiceNow patches critical AI platform flaw that could allow user impersonation appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical ServiceNow AI Platform Flaw Allowing User Impersonation via Prompt Injection Vectors
## CVE Details
- CVE ID: CVE-2025-12420
- CVSS Score: 9.3 (Critical)
- CWE: Not explicitly stated, but related to input validation/output encoding in an AI context (suggests improper handling of agent instructions/data).
## Affected Systems
- Products: ServiceNow Now Assist AI Agents and Virtual Agent API components.
- Versions:
- Now Assist AI Agents: Prior to 5.1.18 and 5.2.19
- Virtual Agent API: Prior to 3.15.2 and 4.0.4
- Configurations: Affects systems where AI agents are configured with default settings enabling automatic discoverability and grouping, facilitating second-order prompt injection attacks.
## Vulnerability Description
The vulnerability exists within ServiceNow's AI platform and could allow unauthenticated users to impersonate legitimate users and execute unauthorized actions. The flaw is primarily leveraged through sophisticated **second-order prompt injection attacks**. An attacker embeds malicious instructions within data fields processed by an AI agent. When a higher-privileged agent processes this malicious data, the embedded instructions are executed, potentially leading to unauthorized access to restricted records, data modification, or privilege escalation. This attack vector bypasses existing prompt injection protections because it exploits agent-to-agent communication pathways established by default agent discovery features.
## Exploitation
- Status: The company reported no evidence of exploitation prior to the October patch. However, researchers demonstrated the capability via proof-of-concept style testing.
- Complexity: Medium (Requires understanding of the AI agent discovery feature and malicious data embedding).
- Attack Vector: Network (via input data processing)
## Impact
- Confidentiality: High (Potential access to restricted records)
- Integrity: High (Potential modification of data)
- Availability: Medium (Potential for disruption if privileges are escalated or system state is altered)
## Remediation
### Patches
- **Now Assist AI Agents:** Upgrade to version 5.1.18 or later, or 5.2.19 or later.
- **Virtual Agent API:** Upgrade to version 3.15.2 or later, or 4.0.4 or later.
- Fixes were deployed to most hosted instances on October 30, 2025.
### Workarounds
- Implement rigorous configuration management for AI agents, focusing on isolating agents into segmented teams based on function.
- Limit or disable the agent discovery feature where possible, or ensure only trusted agents are discoverable.
- Require human supervision for AI agents possessing powerful capabilities.
## Detection
- **Indicators of Compromise:** Look for unexpected behavior or unauthorized actions initiated by AI agents, especially interactions between agents that should not normally communicate or operate on data from low-privileged sources.
- **Detection Methods and Tools:** Monitor agent behavior logs for deviations from expected patterns established for specific workflows. Configuration reviews of agent grouping and discovery settings are critical.
## References
- Vendor Advisory (KB Article): hXXps://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329
- Research Details (Prompt Injection): hXXps://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/