‘BodySnatcher’ AI Vulnerability in ServiceNow Exposes How Dangerous Overpowered Agents Can Be

In a stark warning for enterprise AI security, researchers this week published detailed analyses of CVE-2025-12420, a critical impersonation flaw in ServiceNow’s Now Assist AI Platform and Virtual Agent API, nicknamed “BodySnatcher.” The bug shows how misdesigned AI agents can turn a helpdesk chatbot into a full‑platform takeover tool.

The Breakthrough: How ‘BodySnatcher’ Was Uncovered

  • The vulnerability lets unauthenticated attackers impersonate any ServiceNow user, including administrators, using only an email address and tenant details.
  • It stems from broken authentication in Now Assist AI Agents and the Virtual Agent API, rated critical (CVSS up to 9.3).
  • Research from AppOmni’s AO Labs and follow‑on advisories on January 13–16, 2026 brought the exploit chain and AI angle into full public view.
  • Because ServiceNow underpins IT workflows for roughly 85% of the Fortune 500, the blast radius spans HR, customer service, and security operations worldwide.

Technical Details: How the Exploit Chain Works

  1. Universal static secret
    ServiceNow shipped a single hardcoded credential, "servicenowexternalagent", reused across all customers to authenticate third‑party chat integrations to Virtual Agent.

  2. Email‑only impersonation
    With that secret plus a user’s email and the tenant URL (easy to discover via subdomain scans), attackers could bypass passwords and MFA and act as that user.

  3. Over‑privileged AI agents
    A prebuilt Now Assist agent could “create data anywhere” in ServiceNow; researchers showed it could be instructed to create a new admin account, granting persistent full control.

  4. Supply-chain pivoting
    With admin‑level access on a platform wired into Salesforce, Microsoft 365 and other systems, attackers could potentially pivot into broader SaaS and supply‑chain attacks.

Impact: What It Means for Enterprises

  • The flaw effectively turned ServiceNow’s AI layer into a remote control for privileged workflows, without needing any legitimate credentials.
  • ServiceNow deployed fixes on October 30, 2025 to most hosted instances and released updated Store app versions for Now Assist AI Agents (5.1.18+ / 5.2.19+) and Virtual Agent API (3.15.2+ / 4.0.4+).
  • Advisories so far report no known in‑the‑wild exploitation, but unpatched self‑hosted or partner environments remain attractive targets post‑disclosure.

For security teams, BodySnatcher is a blueprint for how agentic AI plus weak identity controls can rapidly escalate into platform‑wide compromise.

Future Outlook: AI Security Moves to the Front Line

Over the next 6–12 months, expect:

  • Mandatory AI-agent reviews alongside traditional code review and change management, focusing on scoping what agents are allowed to do.
  • Wider adoption of AI Security Posture Management (AISPM) tools, like AppOmni’s AgentGuard, to monitor prompts, data access, and agent behaviors in real time.
  • Regulators and auditors pushing enterprises to apply Zero Trust principles—least privilege, strong MFA, segmentation—to AI workflows, not just human users.

As enterprises rush to embed AI into critical workflows, BodySnatcher underscores a simple reality: AI agents are now privileged software components. Unless their credentials, permissions, and behaviors are engineered as carefully as any other high‑risk code, they may become one of the most dangerous parts of the stack.

techtarget.com ampcuscyber.com techradar.com dev.to darkreading.com sans.org appomni.com smartermsp.com