- Attack Method: Researchers found second-order prompt injection attacks exploiting ServiceNow’s Now Assist AI agents, leveraging their agent-to-agent discovery for unauthorized actions.
- Consequences: Malicious prompts can cause AI agents to leak sensitive data, modify corporate records, and escalate privileges, all without user knowledge.
- Vulnerability: Default configuration settings allow agents to discover and recruit each other, enabling harmful instruction chains.
- Recommendations: To mitigate risks, organizations should enable supervised execution mode for privileged agents, segment teams, monitor agent behavior, and disable risky overrides.
This newly uncovered exploit highlights how ServiceNow’s powerful Now Assist platform’s generative AI agents can be tricked into cooperating for malicious ends. By embedding harmful prompts inside AI tasks, attackers can quietly exfiltrate data, change sensitive records, or gain unauthorized access. The underlying problem lies not in the AI model itself but in default settings designed to facilitate agent collaboration, turned into a vector for so-called second-order prompt injection attacks. Unaware users and IT teams face risk as AI agents run with user privilege, carrying out harmful commands silently.
Aaron Costello, Chief of SaaS Security Research at AppOmni, emphasized, “This discovery is alarming because it isn’t a bug in the AI; it’s expected behavior as defined by certain default configuration options. When agents can discover and recruit each other, a harmless request can quietly turn into an attack, with criminals stealing sensitive data or gaining more access to internal company systems.”
AppOmni’s researchers recommend configuring supervised execution modes for privileged agents, disabling override properties that allow unsupervised tool execution, segmenting agent teams by duties, and proactively monitoring AI agent behavior for suspicious activities to mitigate risks.
Additional Information
[1](https://thehackernews.com/2025/11/servicenow-ai-agents-can-be-tricked.html)
[2](https://securityboulevard.com/2025/11/when-ai-turns-on-its-team-exploiting-agent-to-agent-discovery-via-prompt-injection/)
[3](https://www.cryptopolitan.com/servicenows-ai-agents-coordinated-attacks/)
[4](https://www.morningstar.com/news/business-wire/20251119211250/appomni-delivers-industry-first-real-time-agentic-ai-security-for-servicenow)
[5](https://www.servicenow.com/docs/bundle/zurich-intelligent-experiences/page/administer/now-assist-admin/task/configure-prompt-injection-attack-protection.html)
[6](https://www.servicenow.com/docs/bundle/xanadu-intelligent-experiences/page/administer/now-assist-platform/concept/now-assist-guardian.html)
[7](https://www.obsidiansecurity.com/blog/prompt-injection)
[8](https://www.servicenow.com/research/publication/abhay-puri-shif-now-ai2025.html)
[9](https://blog.lastpass.com/posts/prompt-injection)
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
