CVE-2025-12420

CRITICAL EPSS 98.6%
Published Jan 12, 20265mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to  hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:H/U:Amber
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope N

Threat Intelligence

EPSS Exploit Probability
98.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-250

Affected Products 4

VendorProductVersionRange
servicenownow_assist_ai_agents* <5.1.18
servicenownow_assist_ai_agents*≥5.2.0  –  <5.2.19
servicenowvirtual_agent_api* <3.15.2
servicenowvirtual_agent_api*≥4.0.0  –  <4.0.4

References 1

  • support.servicenow.com https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.