Ethical Hacking News
ServiceNow's AI Platform has been patched to address a critical vulnerability that enables unauthenticated users to impersonate others and execute unauthorized actions. This patch was applied to versions 5.1.18 or later of Now Assist AI Agents and 3.15.2 or later as well as 4.0.4 or later of Virtual Agent API, with patches also shared with partners and self-hosted customers.
ServiceNow's AI Platform has a critical vulnerability that allows unauthenticated users to perform arbitrary actions.The vulnerable versions have a CVSS score of 9.3 out of 10.0, making it a top-priority concern for security professionals.A patch was released on October 30, 2025, to mitigate the threat posed by this vulnerability.Users are advised to apply the patches without delay to safeguard their systems from potential threats.The implications of this vulnerability include unauthorized access to sensitive corporate data and modification of records.
The cybersecurity world has been abuzz with recent news of a critical vulnerability in ServiceNow's AI Platform, leaving unauthenticated users with unprecedented access to perform arbitrary actions as if they were the actual user. This development is particularly concerning given that the vulnerable versions of Now Assist AI Agents and Virtual Agent API have a CVSS score of 9.3 out of 10.0, making it a top-priority concern for security professionals worldwide.
In October 2025, AppOmni's chief of SaaS Security Research, Aaron Costello, discovered this critical vulnerability that could enable an unauthenticated user to impersonate another user and perform operations that the impersonated user is entitled to do. This alarming revelation was promptly addressed by ServiceNow, which subsequently patched the majority of hosted instances on October 30, 2025. Moreover, they shared these patches with both their partners and self-hosted customers to prevent potential exploitation.
The patches applied to Now Assist AI Agents version 5.1.18 or later and Virtual Agent API version 3.15.2 or later as well as 4.0.4 or later have effectively mitigated the threat posed by this vulnerability. Nonetheless, security experts advise that users should apply these updates without delay in order to safeguard their systems from potential threats.
It is worth noting that Aaron Costello's discovery of this critical AI platform flaw comes on the heels of another recent revelation regarding default configurations in ServiceNow's Now Assist generative artificial intelligence (AI) platform. In a press release by AppOmni, it was reported that malicious actors could exploit these default settings to conduct second-order prompt injection attacks.
The implications of this vulnerability are far-reaching and should not be underestimated. The ability for attackers to impersonate legitimate users and execute unauthorized actions raises significant concerns about the security and integrity of sensitive corporate data. Moreover, it provides a means for attackers to modify records, escalate privileges, and even exfiltrate valuable information from systems.
In light of this critical patch alert, ServiceNow's swift action to address the issue cannot be overstated. By deploying these patches to their hosted instances and providing them to partners and self-hosted customers, they have effectively minimized the window for potential exploitation by malicious actors. However, it is crucial that users remain vigilant and apply these updates without delay to ensure the continued security of their systems.
The recent revelations about ServiceNow's AI Platform vulnerability serve as a stark reminder of the importance of vigilance in cybersecurity. As technology continues to evolve at an unprecedented pace, so too do the potential threats that arise from it. It is up to us as a community to stay informed, address these vulnerabilities promptly, and work together to build a safer digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Patch-Alert-ServiceNows-AI-Platform-Vulnerability-Leaves-Unauthenticated-Users-Impersonating-as-Others-ehn.shtml
https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
Published: Tue Jan 13 06:09:19 2026 by llama3.2 3B Q4_K_M
