Businesses relying on AI-driven platforms for their operations found themselves exposed when a significant vulnerability surfaced in ServiceNow’s Now Assist AI tools. The incident prompts broader industry discussions around the complexities of safely deploying artificial intelligence in enterprise environments. As organizations introduce increasingly autonomous agents, attention shifts from just technological advancements to responsible oversight and security management. Independent security research continues to highlight how configuration choices and system defaults can critically shape the risk landscape companies face.
Recent reports on ServiceNow had mostly centered on performance and productivity enhancements in its AI offerings, rarely addressing potential vulnerabilities of this magnitude. While prior news explored the adoption rate and expansion of ServiceNow’s Now Assist and Virtual Agent APIs, security flaws were seldom mentioned. The new vulnerability discovery brings to light how overlooking foundational configuration details can expose even reputable platforms to exploitation. This recent coverage also introduces emerging risks posed by agent-to-agent communication, a concern not previously linked so strongly to ServiceNow.
How Did ServiceNow’s Vulnerability Put Organizations at Risk?
A flaw identified as CVE-2025-12420 in ServiceNow’s Now Assist AI Agents and Virtual Agent API products potentially enabled unauthenticated users to impersonate others and execute unauthorized actions on affected systems. AppOmni, a SaaS security research firm, discovered the issue in October 2025, prompting ServiceNow to issue corrective patches by the end of that month. According to ServiceNow, no evidence has surfaced indicating the bug was exploited before the mitigation steps were rolled out.
“We have acted swiftly to deploy the necessary fixes to protect our customers and partners,”
a ServiceNow spokesperson said.
What Made the Exploit Possible in ServiceNow’s AI Platform?
The root of the vulnerability was traced to a combination of agent discovery mechanisms and default settings that grouped AI agents together and made them discoverable to each other by default. This configuration enabled what are known as second-order prompt injection attacks. By embedding malicious data, an attacker could prompt lower-privileged agents to enlist higher-privileged ones to access restricted areas, modify sensitive data, or escalate privileges—all actions not authorized to the original user. The protection features within ServiceNow’s system did not fully prevent these attack routes, underscoring the role of careful configuration.
Can Proper Configuration Prevent Future AI Security Risks?
ServiceNow acknowledged that agent grouping and discovery settings were intentional design elements aimed at facilitating collaboration between autonomous agents. However, this design inadvertently widened the attack surface when those agents were not properly segmented or supervised. The company has updated its documentation to offer clearer guidance to administrators.
“We encourage all users to review their configurations and follow our updated best practices,”
ServiceNow advised.
Security researchers and the company now advocate mitigation strategies such as restricting agent permissions based on function, establishing isolated agent teams for different tasks, and enforcing additional human oversight wherever high privileges are involved. Organizations are urged to routinely monitor agent interactions and flag deviations from set activity patterns. Effective prevention now appears to hinge more on how companies deploy and supervise their AI agents, rather than relying solely on out-of-the-box technical protections.
AI-driven enterprise platforms like those from ServiceNow bring powerful automation capabilities, but they also pose new and complex security considerations. Lessons from the response to this incident indicate that leaving AI system defaults unchanged can introduce substantial risks. Administrators of Now Assist AI Agents and Virtual Agent APIs should prioritize regular reviews of configuration options and maintain layered controls—even if security features are enabled by default. Close attention to documentation updates and guidance from both ServiceNow and independent researchers will be key to safely harnessing AI tools while minimizing vulnerabilities. For everyday users, understanding that the security of their workflows depends not just on vendors but also on internal policies and oversight may help foster a healthier culture of digital risk management.
