BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow

The emergence of agentic AI has amplified traditional software bugs, turning routine misconfigurations into high‑impact threats. ServiceNow’s Virtual Agent platform, designed to streamline ticketing and self‑service, relies on a provider model where external channels authenticate via a static client secret. When combined with an auto‑linking feature that trusts a simple email address, the architecture inadvertently creates a backdoor: any actor who knows a target’s email can masquerade as that user, sidestepping multi‑factor authentication and single‑sign‑on mechanisms.

Technical analysis reveals that the shared secret—identical across all ServiceNow instances—feeds the Virtual Agent API endpoint, while the hidden AIA‑Agent Invoker AutoChat topic silently routes requests to privileged AI agents. By crafting a JSON payload that specifies the admin’s email and the internal topic identifiers, an attacker can trigger the AI orchestrator to execute arbitrary commands, such as provisioning a new admin account. The exploit leverages the A2A (Agent‑to‑Agent) scripted REST API to inject context variables, effectively hijacking the AI workflow and granting full platform control without ever authenticating.

Mitigation requires a multi‑layered approach. On‑premise deployments should apply the vendor‑released patches for Now Assist AI Agents (≥ 5.1.18/5.2.19) and Virtual Agent API (≥ 3.15.2/4.0.4). Organizations must enforce MFA on provider account‑linking, disable auto‑linking where possible, and institute rigorous AI‑agent lifecycle policies—regularly auditing dormant agents and requiring steward approval for new agents. As AI assistants become integral to enterprise operations, treating their configuration as critical infrastructure will be essential to prevent similar agentic attack chains across other platforms.