ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation - The Hacker News

ServiceNow patched CVE-2025-12420, codenamed BodySnatcher, a critical vulnerability (CVSS 9.3) in its AI Platform that allowed unauthenticated user impersonation. This flaw enabled attackers to bypass MFA/SSO by chaining a hardcoded secret with email-based account linking, facilitating arbitrary actions and potential privilege escalation.