CVE-2025-12420
User Impersonation Vulnerability in ServiceNow AI Platform
Publication date: 2026-01-12
Last updated on: 2026-01-13
Assigner: ServiceNow
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| servicenow | ai_platform | From October_2025 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the ServiceNow AI Platform allows an unauthenticated user to impersonate another user and perform actions that the impersonated user is authorized to do. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access and actions within the ServiceNow AI Platform, potentially allowing attackers to perform privileged operations without authentication, which could compromise system integrity and data security. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, promptly apply the relevant security update or upgrade provided by ServiceNow. Hosted instances have been updated by ServiceNow as of October 2025. Self-hosted customers, partners, and those with unique configurations should apply the provided security updates or upgrades without delay. [1]