CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ServiceNow Now Assist AI Agents Vulnerable to Second-Order Prompt Injection

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

ServiceNow's Now Assist AI platform has been found vulnerable to second-order prompt injection attacks due to default configurations that allow agent-to-agent collaboration. Malicious actors can exploit these settings to perform unauthorized actions, such as data exfiltration, record modification, and privilege escalation, without user awareness. ServiceNow has acknowledged the behavior, emphasizing it is intended, and updated its documentation to clarify the risks. Additionally, ServiceNow has patched a critical security flaw (CVE-2025-12420) that could enable unauthenticated user impersonation, addressing the issue with security updates deployed to hosted instances and provided to partners and self-hosted customers on October 30, 2025.

Timeline

  1. 13.01.2026 13:47 1 articles · 23h ago

    ServiceNow patches critical AI platform flaw allowing unauthenticated user impersonation

    ServiceNow has patched a critical security flaw (CVE-2025-12420) in its AI platform that could enable unauthenticated user impersonation. The vulnerability was discovered and reported by Aaron Costello from AppOmni in October 2025. The flaw was addressed by deploying security updates to hosted instances and providing patches to partners and self-hosted customers on October 30, 2025. The affected versions include Now Assist AI Agents (sn_aia) - 5.1.18 or later and 5.2.19 or later, and Virtual Agent API (sn_va_as_service) - 3.15.2 or later and 4.0.4 or later.

    Show sources
    Open in new tab
  2. 19.11.2025 11:59 2 articles · 1mo ago

    ServiceNow Now Assist AI Agents Vulnerable to Second-Order Prompt Injection

    Researchers discovered that default configurations in ServiceNow's Now Assist AI platform allow agent-to-agent collaboration, enabling second-order prompt injection attacks. These attacks can perform unauthorized actions such as data exfiltration and privilege escalation. ServiceNow has updated its documentation to clarify the intended behavior and associated risks. Mitigation strategies include configuring supervised execution mode for privileged agents, disabling the autonomous override property, segmenting agent duties by team, and monitoring for suspicious behavior. Additionally, ServiceNow has patched a critical security flaw (CVE-2025-12420) that could enable unauthenticated user impersonation, addressing the issue with security updates deployed to hosted instances and provided to partners and self-hosted customers on October 30, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Authentication Bypass in Claroty Secure Remote Access

Claroty has patched an authentication bypass flaw (CVE-2025-54603) in its Secure Remote Access (SRA) product. The vulnerability, discovered by Limes Security, allowed attackers to create unauthorized users, impersonate existing users, and gain full admin control. The flaw affects the on-premises OpenID Connect (OIDC) feature in Claroty SRA versions 3.3.0 through 4.0.2. The vulnerability stems from an incorrect implementation of the OIDC authentication flow, enabling attackers to bypass authentication mechanisms and potentially circumvent multifactor authentication. Claroty SRA is used by hundreds of organizations to secure critical OT assets across thousands of sites globally. The flaw was discovered during a routine penetration test and was reported to Claroty earlier this year. The vendor has since released a patch to mitigate the risk.

Open in new tab

ConnectWise Automate vulnerabilities patched

ConnectWise has released a security update for its Automate product to address two vulnerabilities. The most severe, CVE-2025-11492, allows for cleartext transmission of sensitive information, potentially exposing communications to adversary-in-the-middle (AiTM) attacks. The second, CVE-2025-11493, involves a lack of integrity verification for update packages. The vulnerabilities affect on-premises deployments of Automate, a remote monitoring and management (RMM) platform used by managed service providers (MSPs) and IT departments. The update is marked as a moderate priority, and administrators are advised to install it as soon as possible. These vulnerabilities could allow attackers to intercept or modify traffic, including commands, credentials, and update payloads, potentially leading to the installation of malicious files. The Automate 2025.9 patch enforces HTTPS for all agent communications to mitigate these risks. Partners running on-prem servers should also ensure TLS 1.2 is enforced to maintain secure communications.

Open in new tab

OneLogin OIDC Client Secret Exposure via API Key Misconfiguration

A high-severity flaw in OneLogin's Identity and Access Management (IAM) solution allowed attackers with valid API credentials to retrieve client secrets for all OpenID Connect (OIDC) applications within an organization's tenant. This could enable impersonation and unauthorized access to integrated services. The vulnerability, CVE-2025-59363, was due to an incorrect resource transfer between security boundaries, allowing unauthorized access to confidential data. It was addressed in OneLogin 2025.3.0, released in September 2025. The flaw could facilitate lateral movement within an organization's network, potentially affecting multiple applications and services.

Open in new tab

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-25256) Exploited in the Wild

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Open in new tab

Microsoft August 2025 Patch Tuesday: Multiple Critical Elevation-of-Privilege Vulnerabilities

Microsoft's August 2025 Patch Tuesday addressed 111 vulnerabilities, including 44 elevation-of-privilege (EoP) flaws and 35 remote code execution (RCE) vulnerabilities. The update also fixed 18 information disclosure flaws, 8 spoofing defects, and 4 denial-of-service issues. Critical issues included EoP bugs in Windows Hyper-V, Microsoft SQL Server, and Azure OpenAI, as well as RCE vulnerabilities in SharePoint and Windows Graphics Component. The update included a fix for CVE-2025-53779, a publicly known Windows Kerberos EoP flaw dubbed BadSuccessor, disclosed in May 2025. The update did not include any actively exploited bugs, marking the second consecutive month without such vulnerabilities. Security experts recommended immediate patching for high-severity issues, especially those in core system components and widely used services like SharePoint and SQL Server. However, the August 2025 security updates caused failures in reset and recovery operations on Windows 10 and older versions of Windows 11. Microsoft released emergency out-of-band updates on August 19, 2025, to resolve this issue. The emergency updates are available as optional updates via Windows Update and Windows Update for Business, or can be downloaded and installed manually from the Microsoft Update Catalog. Additionally, the August 2025 security updates caused severe lag and stuttering issues with NDI streaming software on some Windows 10 and Windows 11 systems. The issues affected applications such as OBS (Open Broadcast Software) and NDI Tools, especially when 'Display Capture' was enabled on the source PC. A temporary workaround involved changing the NDI Receive Mode to use TCP or UDP instead of RUDP. Microsoft resolved a known issue causing Windows upgrades to fail with 0x8007007F errors on some Windows 11 and Windows Server systems. The affected upgrade paths included Windows 10 1809, 21H2, and 22H2 to Windows 11 versions 23H2 and 22H2, and Windows Server 2016 to Windows Server 2019 or 2022, and Windows Server 2019 to Windows Server 2022. The issue was resolved as of August 15, 2025, and users were advised to retry the upgrade process if they encountered the error. The KB5064081 update introduced a new method for displaying CPU usage in Task Manager, standardizing CPU reporting across the application. The update included new Recall features and a redesigned Windows Hello interface. The update addressed an issue that prevented some system recovery features from working properly due to a temporary file sharing conflict. The update fixed an issue in Resilient File System (ReFS) where using backup apps with large files could sometimes exhaust system memory. The update resolved an issue with the Chinese (Simplified) Input Method Editor (IME) where some extended characters appeared as empty boxes. The update addressed an issue that prevented typing on the touch keyboard when using the Microsoft Changjie, Microsoft Bopomofo, or Microsoft Japanese Input Method Editors (IMEs). The update fixed an issue that slowed application installation on ARM64 devices. The update included fixes for audio and video performance issues when using Network Device Interface (NDI) to stream or transfer feeds between PCs. The update was part of the company's optional non-security preview update schedule, which releases updates at the end of each month to test new fixes and features coming to the next month's Patch Tuesday. The KB5065426 and KB5065431 cumulative updates for Windows 11 introduce new features and improvements, including a redesigned Windows Hello interface and enhanced passkey features. The updates include a new Recall feature that opens to a personalized homepage, highlighting recent activity and top-used apps and websites. The updates fix issues with the taskbar preview thumbnail, Search on the taskbar, and the lock screen widgets. The updates introduce a new navigation bar for quick access to Home, Timeline, Feedback, and Settings in the Recall feature. The updates include a new grid view in Search on the taskbar to help users quickly identify desired images. The updates provide clearer status information in Search on the taskbar, including progress notices and file availability status. The updates introduce a new visual experience for the Discover feed on the Widgets Board, including Copilot-curated stories. The updates include a new Windows Backup for Organizations feature, providing enterprise-grade backup and restore capabilities. The updates address an issue with the Microsoft Pluton Cryptographic Provider, resolving error messages in Windows Event Viewer. The updates fix issues with live captions, input methods, and various underlying system components. The September 2025 Windows security update fixed issues caused by the August 2025 updates, which triggered unexpected UAC prompts and app installation problems for non-admin users across all Windows versions. The issue was due to a security patch for CVE-2025-50173, a Windows Installer privilege escalation vulnerability. The September update reduces the scope of UAC prompts for MSI repairs and allows IT admins to disable UAC prompts for specific apps.

Open in new tab