Our CVE of the Week series continues with an AI Agent vulnerability that affected ServiceNow, one of the most popular cloud-based platforms for IT and business process automation.

The CVE-2025-12420 vulnerability, assigned with a CVSS 4.0 score of 9.3, allows an unauthenticated attacker to impersonate another user and perform the operations that the impersonated user is entitled to perform.

This is possible because the default settings of ServiceNow’s Now Assist platform can allow second‑order prompt injection attacks. Using this technique, the attacker does not deliver malicious instructions directly through the user input, but instead manipulates the AI agents through data processed by the system.

These attacks exploit a feature called agent discovery, which was originally designed to enable AI agents to collaborate on complex tasks. Although this feature is intended to improve efficiency, if it is misconfigured or insufficiently monitored, it can introduce new attack vectors, as the information exchanged between agents can also be manipulated.

All this highlights that the security of AI Agents does not only depend on the underlying technology, but also on how organizations configure and manage these tools.

Two critical components require immediate intervention. The Now Assist AI Agents application requires patching to version 5.1.18 or later, or alternatively, version 5.2.19 or later.
In addition, the Virtual Agent API also requires an update to version 3.15.2 or later and version 4.0.4 or later.

ServiceNow is unaware of this issue being exploited against customer instances. However, due to the potential for increased risk when vulnerabilities are publicly disclosed, we highly recommend updating the applications as soon as possible.

For more information, please visit:
Official ServiceNow report: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329
Research about second-order prompt injection: https://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 3 – AI Agents Under Attack: High-Risk Vulnerability in ServiceNow

12 – 18 Jan 2026

Our CVE of the Week series continues with an AI Agent vulnerability that affected ServiceNow, one of the most popular cloud-based platforms for IT and business process automation.

Third Party & Supply Chain Cyber Security Summit: Middle East Edition

WAM World Advanced Manufacturing & Logistics – Saudi

Beyond the Firewall: Why Stories Shape Cyber Decisions

CyAN APAC Event – February 2026

The Cyber Outstanding Security Performance Awards