An attacker halfway across the world with nothing but your email address could hijack your company's AI agents, create backdoor admin accounts, and access everything from Social Security numbers to financial records. That's the nightmare scenario researchers discovered in ServiceNow's AI platform.
Security firm AppOmni uncovered what they're calling BodySnatcher (CVE-2025-12420)—the most severe AI-driven vulnerability found to date. The flaw affected ServiceNow's Virtual Agent API and Now Assist AI Agents, tools used by nearly half of Fortune 100 companies to automate workflows and customer service.
Here's what made this particularly dangerous: ServiceNow shipped these AI providers with an identical, hardcoded authentication token across every customer instance worldwide. Combine that with account-linking logic that trusted email addresses alone, and you've got a recipe for disaster. No credentials needed. No MFA bypass required. Just an email address.
 |
| BodySnatcher exploit-chain at a high-level |
"An unauthenticated attacker who has never logged into your ServiceNow instance and has no credentials can impersonate an administrator and execute an AI agent to override security controls," explained AppOmni researcher Aaron Costello, who discovered the vulnerability.
The exploit chain was elegantly simple. Attackers could use the hardcoded token to authenticate to the Virtual Agent API, provide a target's email to impersonate them, then trigger AI agent execution through hidden system topics. One particularly powerful agent, "Record management AI agent," could create records in any database table—including user accounts with full admin privileges.
This isn't ServiceNow's first rodeo with critical flaws. In July 2024, researchers at Assetnote discovered three vulnerabilities (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that, when chained together, allowed complete database access and command execution on internal servers.
ServiceNow patched BodySnatcher on October 30, 2025, rotating provider credentials and removing the dangerous AI agent. But the configuration choices that enabled this exploit could still lurk in custom code or third-party solutions.
What You Should Do:
Organizations running ServiceNow must verify they're on patched versions: Now Assist AI Agents 5.1.18/5.2.19 or later, and Virtual Agent API 3.15.2/4.0.4 or later. Enable MFA for account-linking, implement approval workflows for AI agents through AI Control Tower, and audit inactive agents regularly.
The BodySnatcher incident exposes a harsh reality: as AI agents gain power to automate complex tasks, they become proportionally dangerous attack vectors when misconfigured. The convergence of SaaS and AI security isn't coming—it's already here.