Critical ServiceNow AI Platform Flaw Allowed Unauthenticated Code Execution

ServiceNow has patched a critical flaw in its AI Platform that could have let unauthenticated attackers escape sandbox isolation and execute code. No active exploitation confirmed, but self-hosted customers must patch now.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region3 min read
Illustration representing a critical sandbox escape vulnerability in the ServiceNow AI Platform allowing unauthenticated code execution.

Illustration representing a critical sandbox escape vulnerability in the ServiceNow AI Platform allowing unauthenticated code execution.

ServiceNow has patched a critical vulnerability in its AI Platform that could have allowed unauthenticated attackers to break out of the platform's sandbox isolation and execute arbitrary code. The flaw, tracked as CVE-2026-6875, carries a CVSS score of 9.5 and was documented internally under KB3137947, rated critical by the company's own posture team.

The sandbox in question is designed to isolate AI-driven processes, including Now Assist and other generative AI features embedded across the platform, from the broader application stack. A successful escape from that containment layer would let an attacker run malicious code directly within ServiceNow without needing valid credentials. Because ServiceNow's AI platform underpins core enterprise workflows spanning IT service management, HR, finance and security operations, a compromise at this level could expose sensitive business data, service records and integrated third-party systems depending on how an instance is configured.

ServiceNow has issued fixes across multiple release families, covering both hosted and self-hosted deployments. Hosted instances have already received the update automatically. Self-hosted customers and partners running Brazil, Australia, Zurich or Yokohama family releases need to apply the relevant patch manually rather than assume the fix has landed. As of the vendor's 13 July update, no evidence of active exploitation against customer instances has been found, though public disclosure of a flaw this severe typically accelerates attacker interest in reverse-engineering it.

This is not an isolated incident for enterprise SaaS platforms this year. It follows a pattern similar to the one documented when Trellix confirmed unauthorised access to its own source code repository, where a widely deployed enterprise vendor became the point of exposure for every organisation running its products, regardless of how well those organisations had secured their own environments. The lesson for GCC enterprises is the same in both cases: vendor security posture is now inseparable from your own risk register, not a separate line item to review once a year.

The broader trend also fits the direction flagged in coverage of the AI-native security platform race, where the rush to embed generative and agentic AI features directly into core enterprise platforms is outpacing the maturity of the isolation and governance controls meant to contain them. Sandbox escape flaws specifically undermine the core assumption enterprises make when adopting AI features inside SaaS platforms: that untrusted or experimental AI processing stays contained. When that assumption breaks, the blast radius extends to every connected system the platform touches.

Security teams running ServiceNow, particularly self-hosted or partner-hosted instances, should verify their current version against the patched release list immediately, prioritise internet-facing deployments, and review Now Assist and AI platform usage logs for anomalous activity that could indicate attempted exploitation before the patch was applied.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

SaaS Platform VulnerabilitiesAI Feature Isolation RiskVendor Security Posture