CVE-2025-12420

CVSS v4.0

9.3

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:H/U:Amber

Name of the Vulnerable Software and Affected Versions ServiceNow AI Platform (affected versions not specified)

Description A flaw exists in the ServiceNow AI Platform that allows an unauthenticated user to impersonate another user and perform actions with the impersonated user's permissions. This is due to an IDOR (Insecure Direct Object Reference) pattern.

Recommendations Apply the security update deployed in October 2025. If self-hosted, apply the security update provided by ServiceNow. If using a Store App, upgrade to a version with the security update.

Fix

LPE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-250

Related Identifiers

CVE-2025-12420

Affected Products

Servicenow Ai Platform

CVE-2025-12420

Weakness Enumeration

Related Identifiers

Affected Products

References · 11