ServiceNow Vulnerability Enables Full User Impersonation
On January 19, 2026, a security researcher disclosed a critical vulnerability in ServiceNow’s Virtual Agent API and Now Assist AI Agents application, tracked as CVE-2025-12420 and dubbed "BodySnatcher." The flaw allows unauthenticated attackers to impersonate any user using only an email address, bypassing MFA and SSO to execute privileged AI workflows and create backdoor administrator accounts. Enterprises should urgently apply vendor patches and audit agent integrations.
Key Points
- 1Allows unauthenticated attackers to impersonate any ServiceNow user with only their email address
- 2Bypasses MFA and SSO, enabling execution of privileged AI workflows and account takeover
- 3Requires urgent patching and audit of Virtual Agent integrations to prevent backdoor administrator creation
Scoring Rationale
High novelty and actionable CVE disclosure with broad enterprise impact, balanced by single-source reporting and limited technical details.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

