A critical AI security vulnerability, dubbed “BodySnatcher,” highlights how the growing power of AI agents within workflow management platforms used by most Fortune 100 enterprises can turn routine automation into a takeover path.
The issue, tracked as CVE-2025-12420, affected ServiceNow’s Virtual Agent API and Now Assist AI Agents. According to the researcher who first discovered it, it could have enabled an attacker to impersonate privileged users and drive AI agent workflows to create backdoor access.
ServiceNow has now addressed the vulnerability, which was reported and remediated in October last year. This Tuesday, an advisory was published, detailing the issue.
While the company has moved to close the specific exploit chain, Aaron Costello, chief of security research at SaaS security firm AppOmni, warns that as enterprises grant AI agents more autonomy, small identity and integration weaknesses can escalate into full compromise.
“BodySnatcher is the most severe AI-driven vulnerability uncovered to date: Attackers could have effectively ‘remote controlled’ an organization’s AI, weaponizing the very tools meant to simplify the enterprise,” says Costello.
“The ServiceNow AI applications susceptible to this flaw are used by nearly half of AppOmni’s Fortune 100 customers.”
How the Now Assist Agent and Virtual Agent API are compromised
ServiceNow is utilized by numerous large organizations and is deeply integrated into their ecosystems, often serving as the backbone for IT service management, HR operations, and internal business workflows.
The Now Assist AI Agent helps organizations create and use AI agents on the ServiceNow platform, and the Virtual Agent API enables them to communicate with ServiceNow's chatbot framework from external platforms.
They’re used mostly for internal company tasks: a chatbot that is integrated with Microsoft Teams or Slack, allowing staff to access ServiceNow knowledge base content, search ServiceNow for information, file hardware or software provisioning requests, and access IT support ticket information.
The BodySnatcher vulnerability, named so because it takes over the agent host, demonstrates how these same capabilities could be turned into a powerful attack surface.
At the core of the vulnerability was ServiceNow’s Virtual Agent, the platform’s enterprise chatbot framework.
Virtual Agent translates natural-language input into structured “topics,” which are predefined workflows designed to carry out specific tasks.
To support integrations outside the ServiceNow web interface, such as external bots or automated systems, the platform exposes a Virtual Agent API that relies on configurable “providers” to authenticate requests and associate them with user identities.
According to Costello’s analysis, certain AI Agent providers introduced with the Now Assist AI Agents application relied on a static authentication token combined with automatic account linking based solely on an email address.
This meant that an attacker who knew the shared token and the email address of a valid ServiceNow user could have their external requests treated as if they originated from that user, without triggering multi-factor authentication (MFA) or single sign-on protections.
In addition to impersonating, Costello noted that the real impact emerged when it was combined with ServiceNow’s agentic AI workflows.
The research showed that impersonated requests could be routed into internal Virtual Agent topics designed to invoke AI agent execution.
In a proof-of-concept scenario, an attacker impersonating an administrator instructed an AI agent to create a new user account and then assign that account the admin role, establishing persistent and fully privileged access.
The AI agent followed its normal safety flow: before executing sensitive actions, it requested confirmation, as it was configured to do. However, because the attacker was already operating under the identity of a privileged user, they could simply send a follow-up instruction approving the action.
The AI agents, trusting the identity context, then acted exactly as designed.
Remediation of ServiceNow vulnerability
ServiceNow’s remediation focused on closing the specific gaps that enabled the exploit chain.
The company rotated provider credentials, removed the particularly powerful AI agent used in the proof-of-concept, and issued formal guidance through its advisory.
It is advising customers using the on-premise ServiceNow to “upgrade to, at minimum, the earliest fixed version of each affected application to secure their environment.”
Service Now adds that no action is required for its cloud-hosted customers. In its advisory the vendor adds that, to its knowledge, there have been no exploitations of this flaw in the wild.
While these steps addressed the immediate risk, the researcher cautions that the underlying lessons apply broadly across enterprise SaaS platforms.
“As AI agents are granted more autonomy to manage accounts and modify configurations, they become high-value targets that can be manipulated if robust guardrails aren’t in place,” Costello said.
He added that AI agents must be treated as privileged infrastructure, with identity assurance, approval workflows, and continuous security oversight to match.
ServiceNow released the following statement.
We are aware of a reported vulnerability that could allow privilege escalation on the ServiceNow AI Platform.In October 2025 we issued a security update to customer instances that addressed the issue. At this time, we have found no evidence of malicious exploitation.
ServiceNow
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked