CVE-2025-3089

MEDIUM

ServiceNow AI Platform - Privilege Escalation

Title source: llm

Description

ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners.

References (1)

Core 1

Core References

Various Sources

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2264930

Scores

CVSS v4 5.3

EPSS 0.0007

EPSS Percentile 21.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (6)

ServiceNow/ServiceNow AI Platform Aspen - Washington DC Patch 10 Hot Fix 2a

ServiceNow/ServiceNow AI Platform Aspen - Xanadu Patch 7a

ServiceNow/ServiceNow AI Platform Aspen - Xanadu Patch 8

ServiceNow/ServiceNow AI Platform Aspen - Yokohama Patch 1a

ServiceNow/ServiceNow AI Platform Aspen - Yokohama Patch 2

ServiceNow/ServiceNow AI Platform Aspen - Zurich (EA)

Published Aug 12, 2025

Tracked Since Feb 18, 2026