BodySnatcher Vulnerability Allows Attackers to Impersonate Any ServiceNow User

Security researchers have disclosed a critical vulnerability in ServiceNow’s Virtual Agent API and Now Assist AI Agents application, tracked as CVE-2025-12420.

Dubbed “BodySnatcher,” this authentication flaw allows unauthenticated attackers to impersonate any ServiceNow user using only their email address.

The vulnerability completely bypasses multi-factor authentication (MFA) and single sign-on (SSO) controls, enabling attackers to execute privileged AI workflows and establish persistent backdoor access through malicious administrator accounts.

Vulnerability Mechanism

The BodySnatcher exploit chains two critical security misconfigurations within ServiceNow’s AI agent infrastructure.

First, all ServiceNow instances worldwide ship with an identical static client secret hardcoded in AI Agent channel providers, creating a universal authentication bypass mechanism.

Second, the auto-linking mechanism for account association requires only an email address, without enforcing MFA, allowing any attacker with the shared token to impersonate legitimate users.

The attack unfolds in two stages. An attacker begins by sending an HTTP POST request to the /api/sn_va_as_service/bot/integration endpoint, supplying the hardcoded shared token “servicenowexternalagent” and the target’s email address.

The auto-linking mechanism automatically associates this external request with the legitimate ServiceNow user account.

After waiting 8-10 seconds for the AI agent’s confirmation, the attacker sends a follow-up payload that authorizes malicious actions, such as user creation, role assignment, or password reset, via standard workflows.

In proof-of-concept demonstrations, attackers successfully created administrator accounts, assigned elevated privileges, and gained complete platform control without possessing legitimate credentials or authenticating through SSO.

This represents a complete authentication bypass affecting any on-premise ServiceNow deployment.

ServiceNow removed the Record Management AI Agent from default installations as a patch measure, though organizational custom agents remain vulnerable if misconfigured.

On-premise customers should immediately upgrade to patched versions. Security teams must enforce MFA for Virtual Agent provider account linking, establish mandatory approval workflows for AI agent deployments through AI Control Tower, and conduct quarterly audits to identify unused AI agents.

Metric	Details
CVE Identifier	CVE-2025-12420
Vulnerability Type	Broken Authentication & Agentic Hijacking
CVSS Score	Critical
Attack Vector	Network-based, Unauthenticated
Affected Systems	ServiceNow On-Premise (Cloud customers unaffected)
Authentication Required	No
User Interaction Required	No

Affected Versions and Patch Timeline

Application	Affected Versions	Fixed Versions	Patch Date
Now Assist AI Agents (sn_aia)	5.0.24 – 5.1.17, 5.2.0 – 5.2.18	5.1.18, 5.2.19	January 2026
Virtual Agent API (sn_va_as_service)	≤ 3.15.1, 4.0.0 – 4.0.3	3.15.2, 4.0.4	January 2026

Organizations running affected ServiceNow versions should prioritize patching to prevent account takeover attacks targeting critical IT service management and AI automation workflows.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post BodySnatcher Vulnerability Allows Attackers to Impersonate Any ServiceNow User appeared first on Cyber Security News.