Radware Identifies First-Ever Zero-Click, Server-Side Exploit Targeting ChatGPT

Radware, a global leader in cybersecurity and application delivery solutions, has revealed the discovery of ShadowLeak—a zero-click vulnerability affecting ChatGPT’s Deep Research agent. This previously unknown flaw enables attackers to steal sensitive data without any user interaction, visible alerts, or evidence on devices and networks.

Following responsible disclosure protocols, Radware reported the issue to OpenAI. The company’s Security Research Center (RSRC) demonstrated that an attacker could trigger the exploit simply by sending an email. Once ChatGPT’s agent processed the malicious content, confidential data was extracted—even if the recipient never opened or clicked the message.

Cyber Technology Insights : Palo Alto Networks Unveils AI-Generated Ad Campaign, Showcasing Secure Innovation in Action

“This represents the purest form of a zero-click attack,” said David Aviv, Chief Technology Officer at Radware. “The compromise occurs entirely in the background, driven by the AI agent’s actions on OpenAI’s cloud servers, leaving victims completely unaware.”

The research team—led by Gabi Nakibly and Zvika Babo, with contributions from Maor Uziel—confirmed that ShadowLeak is the first server-side exploit of its kind. Unlike earlier zero-click vulnerabilities, this attack leaves no trace at the network layer, making detection nearly impossible for enterprise customers.

Cyber Technology Insights : ManageEngine Strengthens Its Unified Security Platform With Reengineered Detection

Pascal Geenens, Radware’s Director of Cyber Threat Intelligence, emphasized the broader implications: “AI autonomy, SaaS models, and integration with sensitive business data create a new category of risks. Built-in safeguards alone cannot prevent abuse, and traditional security tools often lack the visibility to detect these sophisticated vectors.”

The discovery comes as AI adoption accelerates in the enterprise sector. In an August 2025 CNBC interview, Nick Turley, VP of Product for ChatGPT, confirmed that more than 5 million businesses are paying subscribers. Radware warns that without enhanced defenses, organizations relying solely on vendor protections may remain vulnerable to this emerging class of AI-driven threats.

Cyber Technology Insights : Falcon for IT Risk-based Patching Accelerates Cybersecurity and IT Consolidation on CrowdStrike

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com

Tags: ChatGPT, Radware, security tools, sensitive data, zero-click vulnerability

Radware Identifies First-Ever Zero-Click, Server-Side Exploit Targeting ChatGPT

CyberTech Media Room

Share With

Recent Posts

Weekly Cybertech Roundup: Highlights of the Week | 19 Sep 2025

Obsidian Security Appoints Khanh Tran as Chief Product Officer, Strengthens Leadership Team

AvePoint Achieves Dual Listing on Singapore Exchange to Strengthen Global Expansion

Netarx Launches SMS Deepfake Detection to Strengthen Enterprise Security

Gartner Highlights Preemptive Cybersecurity as the Future in the Era of Generative AI

Bonfy.AI Boosts Microsoft 365 Security with Advanced AI-Powered Next-Gen DLP Solutions

Contact Us

Quick Links

Insights

Get in touch

Follow Us

Our Other Brands