CVE-2025-12420

CRITICAL

9.8

Descripcion

A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado1/12/2026

Ultima modificacion1/27/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

servicenow:now_assist_ai_agentsservicenow:virtual_agent_api

Debilidades (CWE)

CWE-250

Referencias

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329(psirt@servicenow.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.