What happened
The BodySnatcher vulnerability enables ServiceNow user impersonation through a flaw affecting ServiceNow platform configurations. Security researchers at AppOmni identified that the vulnerability allows attackers to manipulate HTTP request bodies to impersonate authenticated users under certain conditions. The issue stems from insufficient validation of user-controlled request data within affected ServiceNow implementations. By exploiting the flaw, an attacker could perform unauthorized actions within ServiceNow instances, potentially accessing sensitive workflows, tickets, or administrative functions. The vulnerability impacts misconfigured environments rather than default deployments, and mitigations were made available to address the issue.
Who is affected
Organizations using ServiceNow with vulnerable or misconfigured implementations are potentially affected. Exposure is indirect until exploitation occurs but poses risk to enterprises relying on ServiceNow for IT service management, security operations, or business workflows.
Why CISOs should care
ServiceNow platforms often integrate deeply with identity, incident response, and business processes. User impersonation vulnerabilities introduce risks of privilege abuse, lateral movement, and manipulation of operational or security-critical workflows.
3 practical actions
-
Validate ServiceNow configurations: Review platform settings and apply recommended mitigations to prevent request body manipulation.
-
Restrict administrative privileges: Limit high-privilege roles and enforce least-privilege access across ServiceNow users.
-
Increase audit logging: Enable detailed logging and review activity for anomalous user actions or workflow changes.