“With respect to what was publicly understood relating to the supply of AI brokers on the platform, this understanding is groundbreaking,” the researchers stated. “The overall consensus was that to ensure that an AI agent to be executed outdoors of testing, it should be deployed to a channel that has explicitly enabled the Now Help function. However this isn’t the case. Evidently, so long as the agent is in an energetic state and the calling person has the mandatory permissions, it may be executed instantly via these subjects.”
Usually, utilizing the agent-to-agent API requires a ServiceNow account, however as a result of it’s a wrapper for the older Digital Agent API, which doesn’t require a ServiceNow account, this requirement will be bypassed.
An attacker would additionally want the distinctive ID of an AI agent that exists of their sufferer’s ServiceNow occasion. It seems that putting in the Now Help AI software deploys instance brokers by default, together with the Report Administration AI Agent, which was able to creating data in any arbitrary desk. This agent, which has been eliminated as a part of the patch, had the identical UID throughout all deployments.
