Vulnerability Description
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Servicenow | Now Assist Ai Agents | < 5.1.18 |
| Servicenow | Virtual Agent Api | < 3.15.2 |
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-12420?
CVE-2025-12420 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitle...
How severe is CVE-2025-12420?
CVE-2025-12420 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-12420?
Check the references section above for vendor advisories and patch information. Affected products include: Servicenow Now Assist Ai Agents, Servicenow Virtual Agent Api.