Summary:

In October 2025, AppOmni, a SaaS security firm, notified ServiceNow regarding their intent to publish an article about a critical privilege escalation vulnerability affecting ServiceNow instances using the Virtual Agent API and Now Assist AI Agents. This vulnerability could have enabled an unauthenticated user to impersonate another user and perform operations that the impersonated user was entitled to perform.

ServiceNow addressed this vulnerability on October 30, 2025, by deploying security updates to all affected hosted customer instances. Security updates were also provided to self-hosted customers and partners. On January 12, 2026, ServiceNow published (CVE-2025-12420) for this vulnerability. AppOmni's public disclosure followed on January 13, 2026.

Additional Information:

What was the vulnerability?
A privilege escalation vulnerability in the ServiceNow AI Platform that could have enabled an unauthenticated user to impersonate another user and execute operations with that user's privileges.

What was the potential impact?
ServiceNow has no evidence that this issue was maliciously exploited in customer production environments. If left unaddressed, then the issue could have resulted in unauthorized access and actions performed under another user's identity.

How has ServiceNow addressed the issue?
On October 30, 2025, we applied a security update to all hosted instances identified as affected, and self-hosted customers received instructions to apply the same updates at that time.

Resources and Support
Customers requiring additional information or assistance may contact ServiceNow Support or access the in-instance Security Center. Updated knowledge base articles and mitigation guidance are available on the ServiceNow Support Portal.