InfoSec Briefing - January 17, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Friday, January 16, 2026, covering 2 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

Fly.io has launched Sprites, a new platform offering disposable Linux virtual machines with root access and KVM micro-VM isolation. The architecture features an innovative inside-out orchestration model where management logic runs within the VM's root namespace rather than on the host, designed to reduce blast radius and improve isolation, with 100GB durable root filesystems backed by S3-compatible object storage using JuiceFS and Litestream for metadata durability.

AppOmni's Aaron Costello has disclosed CVE-2025-12420, dubbed BodySnatcher, a critical authentication bypass vulnerability in ServiceNow's Virtual Agent and Now Assist AI agents that allows unauthenticated attackers to impersonate any user, including administrators, using only an email address. The flaw stems from a shared static client secret and weak account-linking logic, affecting on-premise ServiceNow customers running specific versions of Now Assist AI Agents 5.0.24 through 5.2.18 and Virtual Agent API through version 4.0.3.

That concludes today's briefing.

📰 Articles Covered

The Design & Implementation of Sprites - Fly.io

The article introduces **Sprites**, a new offering from Fly.io that redefines disposable computing by providing Linux virtual machines with root access that can be created almost instantly.

**What Happened:**
Fly.io launched **Sprites**, a new platform that offers disposable Linux virtual machines. This is a departure from their previous product, Fly Machines, which were based on OCI containers. Sprites are designed for rapid creation, persistent storage, and automatic sleep when inactive, making them cost-effective for various tasks.

**Who is Affected:**
Developers and users who need quick, temporary, and isolated computing environments will be affected. This includes those prototyping applications, running acceptance tests, or engaging in tasks where a full-fledged, always-on server is unnecessary or cost-prohibitive.

**Security Implications:**
Sprites offer the isolation of KVM micro-VMs, providing root access within the VM. The article highlights that the core orchestration and management work happens *inside* the VM, with a container layer between the user and the kernel. This "inside-out" orchestration model means changes to Sprites have a smaller blast radius, potentially improving stability and security by isolating modifications to new VMs. The use of object storage for durable state also implies that the core data is managed by robust, external infrastructure.

**Technical Details:**
Sprites are Linux VMs with a 100GB durable root filesystem. Key technical decisions that enable Sprites include:

* **No More Container Images:** Sprites eliminate the need for users to manage container images, significantly speeding up creation time. Instead, they use a standard container internally, allowing for pre-pooled "empty" Sprites.
* **Object Storage for Disks:** The root filesystem is backed by S3-compatible object storage, with NVMe used as a read-through cache. This provides durability and simplifies workload migration and recovery. The storage stack is organized around the JuiceFS model, splitting data into chunks on object stores and metadata on local storage, with metadata durability provided by Litestream.
* **Inside-Out Orchestration:** Most orchestration and management logic resides within the VM's root namespace, rather than on the host. This includes the storage stack, service manager, logging, and network socket binding. This design allows for bouncing Sprites without rebooting the entire VM.

**What Defenders Should Know:**
Defenders should understand that Sprites are designed for rapid iteration and disposable use. Key takeaways include:

* **Instant Creation:** Sprites can be created in seconds, making them ideal for ephemeral tasks.
* **Cost-Effectiveness:** They automatically sleep when inactive, incurring minimal costs. Billing is based on actual usage, particularly for storage blocks written.
* **Persistent Storage:** Despite being disposable, Sprites have a 100GB persistent disk backed by object storage.
* **Prototyping and Testing:** Sprites are well-suited for prototyping and acceptance testing, with a potential automated workflow to transition to more permanent solutions like Fly Machines for scaling.
* **Contract with User Code:** Sprites establish a clear API and set of expectations for the execution environment, which can run on top of Fly Machines or potentially other runtimes in the future.
BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow - The content posted at the provided URL is controlled by **AppOmni**. The author of the content is **Aaron Costello**, who is the Chief of Security Research at AppOmni.

The **BodySnatcher vulnerability (CVE-2025-12420)** is a critical security flaw discovered in **ServiceNow's Virtual Agent and Now Assist AI agents** that allows unauthenticated attackers to impersonate any user, including administrators, by bypassing multi-factor authentication (MFA) and single sign-on (SSO) using only an email address. This vulnerability amplifies traditional security weaknesses by enabling the hijacking of AI agents, turning them into tools for malicious activities.

**What Happened:**
The vulnerability stems from a shared, static client secret (`servicenowexternalagent`) used across all ServiceNow instances for AI Agent providers. This secret, combined with account-linking logic that trusts any requester with this token and only requires an email address, allows an attacker to impersonate any user. The attacker can then leverage the 'AIA-Agent Invoker AutoChat' topic to execute AI agents, such as the 'Record management AI agent,' to create new administrative accounts, assign them privileged roles, and gain full control of the ServiceNow instance.

**Who is Affected:**
This vulnerability affects **on-premise ServiceNow customers** running specific versions of the **Now Assist AI Agents (sn_aia)** and **Virtual Agent API (sn_va_as_service)** applications. The affected versions for Now Assist AI Agents range from 5.0.24 to 5.1.17 and 5.2.0 to 5.2.18. For the Virtual Agent API, affected versions include those less than or equal to 3.15.1 and from 4.0.0 to 4.0.3. Cloud-hosted customers do not require action.

**Security Implications:**
The security implications are severe, as an attacker can gain **unlimited access** to an organization's sensitive data, including customer Social Security numbers, healthcare information, financial records, and intellectual property. The exploit allows for privilege escalation from an unauthenticated user to a full administrator, enabling the creation of backdoor accounts and complete compromise of the ServiceNow platform. This vulnerability highlights how AI agents can be weaponized, turning tools designed for workflow simplification into critical security risks.

**Technical Details:**
The exploit chain involves several key components:
* **Shared Client Secret:** A static, non-rotating client secret (`servicenowexternalagent`) used by AI Agent channel providers.
* **Insecure Account Linking:** The Auto-Linking logic trusts any requester with the shared token and only requires an email address, bypassing MFA and SSO.
* **Virtual Agent API:** This API, lacking authentication at its layer, serves as the entry point for the attack.
* **'AIA-Agent Invoker AutoChat' Topic:** This restricted topic is used to execute AI agents.
* **AI Agents:** Specific AI agents, like the 'Record management AI agent,' possess tools (e.g., 'Create the record') that can be manipulated to create new admin users.
* **Privilege Escalation:** By chaining these elements, an attacker can create a new user, assign it the 'admin' role, and then reset its password to gain full administrative access.

**What Defenders Should Know:**
Defenders need to understand that AI agents are critical infrastructure and require robust security measures. Key recommendations include:
* **Immediate Upgrade:** On-premise customers must **immediately upgrade** to the earliest fixed versions of affected applications.
* **Enforce MFA:** Require **MFA for account linking** during the AI agent provider setup. This is crucial to break the impersonation stage of the exploit. Ensure the 'Automatic link action' script includes logic to execute and validate MFA challenges.
* **Automated Review Process:** Implement an automated approval process for AI agents using ServiceNow's **AI Control Tower** and the **AI Steward** role to ensure agents comply with security policies before deployment.
* **Review and Disable Unused Agents:** Regularly **audit and de-provision dormant or unused AI agents** to reduce the attack surface. AI Control Tower can help identify agents inactive for over 90 days.
* **Address Fundamental Configurations:** Recognize that point-in-time fixes are insufficient. The underlying configuration choices that enable such vulnerabilities must be addressed. Adhering to security best practices for platform administrators is essential to prevent recurrence.