ServiceNow patched a critical security flaw in its AI platform that could let attackers impersonate users and run actions as those users. The vulnerability is tracked as CVE-2025-12420 and is known as BodySnatcher was first reported by AppOmni October 2025.
The BodySnatcher vulnerability affected two parts of ServiceNow: the Virtual Agent API and the Now Assist AI Agents application. It allowed an unauthenticated attacker to call APIs and impersonate any user, including administrators, using only a known email address. This impersonation could bypass multi-factor authentication and single-sign-on controls.
The exploit chain combined:
A shared static secret used by certain agent channel providers,
logic that accepted an email address as proof of identity,
and the ability to invoke agentic workflows with elevated privileges.
Once impersonated, the attacker could use agent workflows to create accounts, modify records, or perform other actions at scale.
High-level view of the BodySnatcher exploit train, referencing Appnomi overview
Large enterprises use ServiceNow as a core platform. When AI agents can act autonomously on behalf of users then identity and API security errors become amplified risk vectors. In this case, traditional authentication weaknesses combined with autonomous agents created a path for broad unintended access.
Agentic workflows are designed to speed up business processes. But when they run as a user without strong verification, they can execute privileged actions, including account creation and role assignment.
As client-edge encryption and tokenization are removed, organizations become more dependent on upstream controls to protect sensitive data. When identity or API controls fail, in-platform protections alone are not sufficient.
This makes external, customer-controlled security layers critical as AI-driven workflows expand.
The exploit relied on a static secret shared across environments to authenticate agent channels. This meant an attacker could call sensitive APIs and exploit weak up-stream validation.
The linking mechanism accepted an email address as proof of identity without enforcing strong authentication. This let attackers impersonate users across the platform.
The agentic AI components could run workflows with elevated privileges once supplied a trusted identity. This increased the impact of the impersonation itself.
The BodySnatcher vulnerability showed how API access, identity trust, and agentic workflows can fail together. StratoKey can help address each of these failure points directly.
Learn more about the Cloud Data Protection Platform
The attack relied on weak API authentication and trusted integration access.
StratoKey’s API Gateway enforces strict controls before requests reach ServiceNow.
Blocks unauthenticated or weakly authenticated API calls,
Rejects static or shared secrets (by setting up policy and rules),
Enforces approved request structures and actions,
Mandates different authentication and policy requirements for read-only versus execution endpoints.
This prevents unsafe calls from triggering agent workflows.
BodySnatcher allowed an API caller to be linked to a real user based only on an email address.
StratoKey’s Identity Gateway prevents this type of identity abuse.
Requires cryptographic proof of identity,
Prevents identity linking based on metadata alone,
Enforces step-up verification for privileged actions,
Separates agent identity from user identity.
This ensures AI agents cannot act as users without strong verification.
If a control is bypassed, data protection becomes critical.
StratoKey’s Data Protection Gateway secures data before it enters SaaS and AI workflows.
Encrypts or tokenizes sensitive fields (in-app and within the API payload),
Limits which data is exposed to agents,
Ensures regulated data is never visible in plaintext.
This limits the impact of impersonation and prevents large-scale data exposure.
Agentic AI can increase speed and autonomy, but also increase risk when identity or API controls fail. Often, organizations don't fully understand the depth of access to the mechanics of who/what is interacting with their data. StartoKey applies layered controls across access, identity, and data security so that a single weakness cannot become a platform-wide incident.
For regulated industries, the impact is higher. Agentic AI workflows often handle controlled data such as personal data (PII), financial records, healthcare information (PHI) and in some cases CUI and export-restricted information. When identity or API controls fail, this can trigger compliance breaches, not just security incidents.