CVE-2025-12420
Unknown Unknown - Not Provided
User Impersonation Vulnerability in ServiceNow AI Platform

Publication date: 2026-01-12

Last updated on: 2026-01-13

Assigner: ServiceNow

Description
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to Β hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
servicenow ai_platform From October_2025 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the ServiceNow AI Platform allows an unauthenticated user to impersonate another user and perform actions that the impersonated user is authorized to do. [1]

Impact Analysis

The vulnerability can lead to unauthorized access and actions within the ServiceNow AI Platform, potentially allowing attackers to perform privileged operations without authentication, which could compromise system integrity and data security. [1]

Mitigation Strategies

To mitigate this vulnerability, promptly apply the relevant security update or upgrade provided by ServiceNow. Hosted instances have been updated by ServiceNow as of October 2025. Self-hosted customers, partners, and those with unique configurations should apply the provided security updates or upgrades without delay. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart