# [HIGH] ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations **Source:** Snyk **Published:** 2026-01-14 **Article:** https://snyk.io/blog/servicenow-virtual-agent-vulnerability/ ## Threat Profile Snyk Blog In this article Written by Stephen Thoemmes January 14, 2026 0 mins read The recent disclosure of what security researchers are calling "the most severe AI-driven vulnerability uncovered to date" in ServiceNow's platform serves as a stark reminder: securing agentic AI isn't just about new AI-specific controls; it requires getting the fundamentals right first. The anatomy of the virtual agent vulnerability In October 2025, AppOmni's security research team discovered a critical vulnerab… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2025-12420` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1219** — Remote Access Software - **T1078.001** — Valid Accounts: Default Accounts - **T1078.004** — Valid Accounts: Cloud Accounts - **T1136.003** — Create Account: Cloud Account ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### BodySnatcher (CVE-2025-12420) — Hardcoded 'servicenowexternalagent' Token Observed in HTTP Traffic `UC_624_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.src) as src_ip values(Web.http_user_agent) as user_agent from datamodel=Web.Web where (Web.url="*servicenowexternalagent*" OR Web.http_referrer="*servicenowexternalagent*" OR Web.cookie="*servicenowexternalagent*" OR Web.http_user_agent="*servicenowexternalagent*") by Web.dest Web.action Web.status | `drop_dm_object_name(Web)` | where action!="blocked" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // Hunt the hardcoded 'servicenowexternalagent' token across any HTTP context Defender sees (URL clicks, network events with URL captured). let IOCToken = "servicenowexternalagent"; DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has IOCToken or AdditionalFields has IOCToken | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort | union (UrlClickEvents | where Timestamp > ago(30d) | where Url has IOCToken | project Timestamp, AccountUpn, Url, NetworkMessageId, IPAddress) | order by Timestamp desc ``` ### ServiceNow Virtual Agent Invocation of Hidden AIA-Agent Invoker AutoChat Topic (CVE-2025-12420) `UC_624_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.src) as src_ip values(Web.http_user_agent) as user_agent values(Web.http_method) as method from datamodel=Web.Web where Web.url="*service-now.com*" AND (Web.url="*/api/now/v1/awa*" OR Web.url="*/api/now/cs/*" OR Web.url="*virtualagent*" OR Web.url="*/api/sn_va_as_service/*") AND (Web.http_content="*Record Management*" OR Web.http_content="*AIA-Agent Invoker*" OR Web.http_content="*sys_user*" OR Web.url="*servicenowexternalagent*") by Web.dest Web.action Web.status | `drop_dm_object_name(Web)` | where status=200 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // Detect outbound calls from any device to ServiceNow tenants invoking the Virtual Agent / AutoChat API while carrying Record-Management agent indicators (CVE-2025-12420 BodySnatcher). let SnowHost = "service-now.com"; let ChatAPI = dynamic(["/api/now/v1/awa", "/api/now/cs/", "/api/sn_va_as_service", "virtualagent", "openframe"]); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has SnowHost | where RemoteUrl has_any (ChatAPI) | where AdditionalFields has_any ("Record Management", "AIA-Agent Invoker", "servicenowexternalagent", "sys_user") | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, RemoteUrl, RemoteIP, RemotePort, AdditionalFields | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2025-12420` ## Why this matters Severity classified as **HIGH** based on: CVE present, 6 use case(s) fired, 9 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.