Microsoft And Servicenow's Exploitable Agents Reveal A Growing - And Preventable - Ai Security Crisis

Alexey Brin/iStock/Getty Images Plus via Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Researchers observe exploitable agentic AI technologies from ServiceNow and Microsoft.
• Securing agentic AI is already proving to beryllium highly challenging.
• Cybersecurity pros should adopt a "least privilege" posture for AI agents.

Could agentic AI move retired to beryllium each threat actor's fantasy? I suggested arsenic overmuch successful my recent  "10 ways AI tin inflict unprecedented harm successful 2026."

Once deployed connected firm networks, AI agents pinch wide entree to delicate systems of grounds tin alteration nan benignant of lateral activity crossed an organization's IT property that astir threat actors dream of.   

Also: 10 ways AI tin inflict unprecedented harm successful 2026

How 'lateral movement' nets threat actors escalated privileges

According to Jonathan Wall, laminitis and CEO of Runloop -- a level for securely deploying AI agents -- lateral activity should beryllium of sedate interest to cybersecurity professionals successful nan discourse of agentic AI. "Let's opportunity a malicious character gains entree to an supplier but it doesn't person nan basal permissions to spell touch immoderate resource," Wall told ZDNET. "If, done that first agent, a malicious supplier is capable to link to different supplier pinch a [better] group of privileges to that resource, past he will person escalated his privileges done lateral activity and perchance gained unauthorized entree to delicate information."

Meanwhile, nan thought of agentic AI is truthful caller that galore of nan workflows and platforms for processing and securely provisioning those agents person not yet considered each nan ways a threat character mightiness utilization their existence. It's eerily reminiscent of package development's early days, erstwhile fewer programmers knew really to codification package without leaving gaping holes done which hackers could thrust a proverbial Mack truck.

Also: AI's scary caller trick: Conducting cyberattacks alternatively of conscionable helping out

Google's cybersecurity leaders precocious identified protector agents arsenic a captious concern. "By 2026, we expect nan proliferation of blase AI agents will escalate nan protector AI problem into a captious 'shadow agent' challenge. In organizations, labor will independently deploy these powerful, autonomous agents for activity tasks, sloppy of firm approval," wrote nan experts successful Google's Mandiant and threat intelligence organizations. "This will create invisible, uncontrolled pipelines for delicate data, perchance starring to information leaks, compliance violations, and IP theft." 

Meanwhile, 2026 is hardly retired of nan gates and, judging by 2 abstracted cybersecurity cases having to do pinch agentic AI -- 1 involving ServiceNow and nan different Microsoft -- nan agentic aboveground of immoderate IT property will apt go nan juicy target that threat actors are seeking -- 1 that's afloat of easy exploited lateral opportunities. 

Since nan 2 agentic AI-related issues -- some involving agent-to-agent interactions -- were first discovered, ServiceNow has plugged its vulnerabilities earlier immoderate customers were known to person been impacted, and Microsoft has issued guidance to its customers connected really to champion configure its agentic AI guidance power level for tighter supplier security. 

BodySnatcher: 'Most terrible AI-driven vulnerability to date'

Earlier this month, AppOmni Labs main of investigation Aaron Costello disclosed for nan first clip a elaborate explanation of really he discovered an agentic AI vulnerability connected ServiceNow's platform, which held specified imaginable for harm that AppOmni gave it nan sanction "BodySnatcher." 

"Imagine an unauthenticated attacker who has ne'er logged into your ServiceNow lawsuit and has nary credentials, and is sitting halfway crossed nan globe," wrote Costello successful a station published to nan AppOmni Lab's website. "With only a target's email address, nan attacker tin impersonate an administrator and execute an AI supplier to override information controls and create backdoor accounts pinch afloat privileges. This could assistance astir unlimited entree to everything an statement houses, specified arsenic customer Social Security numbers, healthcare information, financial records, aliases confidential intelligence property." (AppOmni Labs is nan threat intelligence investigation limb of AppOmni, an endeavor cybersecurity solution provider.)

Also: Moltbot is simply a information nightmare: 5 reasons to debar utilizing nan viral AI supplier correct now

The vulnerability's severity cannot beryllium understated. Whereas nan immense mostly of breaches impact nan theft of 1 aliases much highly privileged integer credentials (credentials that spend threat actors entree to delicate systems of record), this vulnerability -- requiring only nan easy acquired target's email reside -- near nan beforehand doorway wide open. 

"BodySnatcher is nan astir terrible AI-driven vulnerability uncovered to date," Costello told ZDNET. "Attackers could person efficaciously 'remote controlled' an organization's AI, weaponizing nan very devices meant to simplify nan enterprise." 

"This was not an isolated incident," Costello noted. "It builds upon my erstwhile research into ServiceNow's Agent-to-Agent find mechanism, which, successful a astir textbook meaning of lateral activity risk, elaborate really attackers tin instrumentality AI agents into recruiting much powerful AI agents to fulfill a malicious task."   

Researchers a measurement up of hackers connected BodySnatcher

Fortunately, this was 1 of nan amended examples of a cybersecurity interrogator discovering a terrible vulnerability earlier threat actors did. 

"At this time, ServiceNow is unaware of this rumor being exploited successful nan chaotic against customer instances," noted ServiceNow successful a January 2026 post regarding nan vulnerability. "In October 2025, we issued a information update to customer instances that addressed nan issue," a ServiceNow spokesperson told ZDNET. 

Also: Businesses are deploying AI agents faster than information protocols tin support up, Deloitte says

According to nan aforementioned post, ServiceNow recommends "that customers promptly use an due information update aliases upgrade if they person not already done so." That advice, according to nan spokesperson, is for customers who self-host their instances of nan ServiceNow. For customers utilizing nan unreality (SaaS) type operated by ServiceNow, nan information update was automatically applied. 

Microsoft: 'Connected Agents' default is simply a feature, not a bug 

In nan lawsuit of nan Microsoft agent-to-agent rumor (Microsoft views it arsenic a feature, not a bug), nan backdoor opening appears to person been likewise discovered by cybersecurity researchers earlier threat actors could utilization it. In this case, Google News alerted maine to a CybersecurityNews.com header that stated, "Hackers Exploit Copilot Studio's New Connected Agents Feature to Gain Backdoor Access." Fortunately, nan "hackers" successful this lawsuit were ethical white-hat hackers working for Zenity Labs. "To clarify, we did not observe this being exploited successful nan wild," Zenity Labs co-founder and CTO Michael Bargury told ZDNET. "This flaw was discovered by our investigation team."

Also: How Microsoft's caller information agents thief businesses enactment a measurement up of AI-enabled hackers

This caught my attraction because I'd precocious reported on nan lengths to which Microsoft was going to make it imaginable for each agents -- ones built pinch Microsoft improvement devices for illustration Copilot Studio aliases not -- to get their ain human-like managed identities and credentials pinch nan thief of nan Agent ID characteristic of Entra, Microsoft's cloud-based personality and entree guidance solution. 

Why is thing for illustration that necessary? Between nan advertised productivity boosts associated pinch agentic AI and executive unit to make organizations much profitable done AI, organizations are expected to employment galore much agents than group successful nan adjacent future. For example, IT investigation patient Gartner told ZDNET that by 2030, CIOs expect that 0% of IT activity will beryllium done by humans without AI, 75% will beryllium done by humans augmented pinch AI, and 25% will beryllium done by AI alone.

In consequence to nan anticipated sprawl of agentic AI, nan cardinal players successful nan personality manufacture -- Microsoft, Okta, Ping Identity, Cisco, and nan OpenID Foundation -- are offering solutions and recommendations to thief organizations tame that sprawl and forestall rogue agents from infiltrating their networks. In my research, I besides learned that immoderate agents forged pinch Microsoft's improvement tools, specified arsenic Copilot Studio aliases Azure AI Foundry, are automatically registered successful Entra's Agent Registry. 

Also: The coming AI supplier crisis: Why Okta's caller information modular is simply a must-have for your business

So, I wanted to find retired really it was that agents forged pinch Copilot Studio -- agents that theoretically had their ain credentials -- were someway exploitable successful this hack. Theoretically, nan full constituent of registering an personality is to easy way that identity's activity -- legitimately directed aliases misguided by threat actors -- connected nan firm network. It seemed to maine that thing was slipping done nan very agentic information nett Microsoft was trying to put successful spot for its customers. Microsoft moreover offers its own information agents whose occupation it is to tally astir nan firm web for illustration achromatic humor cells search down immoderate invasive species. 

As it turns out, an supplier built pinch Copilot Studio has a "connected agent" characteristic that allows different agents, whether registered pinch nan Entra Agent Registry aliases not, to laterally link to it and leverage its knowledge and capabilities. As reported successful CybersecurityNews, "According to Zenity Labs, [white hat] attackers are exploiting this spread by creating malicious agents that link to legitimate, privileged agents, peculiarly those pinch email-sending capabilities aliases entree to delicate business data." Zenity has its ain station connected nan taxable appropriately titled "Connected Agents: The Hidden Agentic Puppeteer."

Even worse, CybersecurityNews reported that "By default, [the Connected Agents feature] is enabled connected each caller agents successful Copilot Studio." In different words, erstwhile a caller supplier is created successful Copilot Studio, it is automatically enabled to person connections from different agents. I was incredibly amazed to publication this, fixed that 2 of nan 3 pillars of Microsoft's Secure Future Initiative are "Secure by Default" and "Secure by Design." I decided to cheque pinch Microsoft. 

Also: AI agents are already causing disasters - and this hidden threat could derail your safe rollout

"Connected Agents alteration interoperability betwixt AI agents and endeavor workflows," a Microsoft spokesperson told ZDNET. "Turning them disconnected universally would break halfway scenarios for customers who trust connected supplier collaboration for productivity and information orchestration. This allows power to beryllium delegated to IT admins." In different words, Microsoft doesn't position it arsenic a vulnerability. And Zenity's Bargury agrees. "It isn't a vulnerability," he told ZDNET. "But it is an unfortunate mishap that creates risk. We've been moving pinch nan Microsoft squad to thief thrust a amended design."

Even aft I suggested to Microsoft that this mightiness not beryllium unafraid by default aliases design, Microsoft was patient and recommended that "for immoderate supplier that uses unauthenticated devices aliases accesses delicate knowledge sources, disable nan Connected Agents characteristic earlier publishing [an agent]. This prevents vulnerability of privileged capabilities to malicious agents."

Agentic AI conversations betwixt agents are difficult to monitor

I besides inquired astir nan expertise to show agent-to-agent activity pinch nan thought that possibly IT admins could beryllium alerted to perchance malicious interactions aliases communications.

Also: The champion free AI courses and certificates for upskilling successful 2026 - and I've tried them all

"Secure usage of agents requires knowing everything they do, truthful you tin analyze, monitor, and steer them distant from harm," said Bargury. "It has to commencement pinch elaborate tracing. This uncovering spotlights a awesome unsighted spot [in really Microsoft's connected agents characteristic works]." 

The consequence from a Microsoft spokesperson was that "Entra Agent ID provides an personality and governance path, but it does not, connected its own, nutrient alerts for each cross-agent utilization without outer monitoring configured. Microsoft is continually expanding protections to springiness defenders much visibility and power complete supplier behaviour to adjacent these kinds of exploits."

When confronted pinch nan thought of agents that were unfastened to relationship by default, Runloop's Wall recommended that organizations should ever adopt a "least privilege" posture erstwhile processing AI agents aliases utilizing canned, off-the-shelf ones. "The rule of slightest privilege fundamentally says that you commencement disconnected successful immoderate benignant of execution situation giving an supplier entree to almost nothing," said Wall. "And then, you only adhd privileges that are strictly basal for it to do its job." 

Also: How Microsoft Entra intends to support your AI agents from moving wild

Sure enough, I looked backmost astatine nan question and reply I did pinch Microsoft firm vice president of AI Innovations, Alex Simons, for my coverage of nan improvements nan institution made to its Entra IAM level to support agent-specific identities. In that interview, wherever he described Microsoft's objectives for managing agents, Simons said that 1 of 3 challenges they were looking to lick was "to negociate nan permissions of those agents and make judge that they person a slightest privilege exemplary wherever those agents are only allowed to do nan things that they should do. If they commencement to do things that are weird aliases unusual, their entree is automatically trim off."  

Of course, there's a large quality betwixt "can" and "do," which is why, successful nan sanction of slightest privileged champion practices, each agents should, arsenic Wall suggested, commencement retired without nan expertise to person inbound connections and past beryllium improved from location arsenic necessary.