ServiceNow Vulnerability Enables Full User Impersonation

On January 19, 2026, a security researcher disclosed a critical vulnerability in ServiceNow’s Virtual Agent API and Now Assist AI Agents application, tracked as CVE-2025-12420 and dubbed "BodySnatcher." The flaw allows unauthenticated attackers to impersonate any user using only an email address, bypassing MFA and SSO to execute privileged AI workflows and create backdoor administrator accounts. Enterprises should urgently apply vendor patches and audit agent integrations.