The vulnerability directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously from OpenAI servers and could fuel a growing, automated, worm-like attack campaign inside organizations
Radware, a global leader in application security and delivery solutions for multi-cloud environments, announced the discovery of ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability targeting OpenAI’s Deep Research agent. The vulnerability could expose enterprises to invisible data theft, persistent agent hijacking, and service-side execution that could bypass an organization’s security controls.
Persistent Memory Manipulation and Autonomous Propagation
ZombieAgent initially resembles Radware’s previously disclosed ShadowLeak vulnerability, which shows how indirect prompt injection techniques could be used to influence the behavior of AI agents. However, Radware’s researchers also identified a more advanced attack stage in which ZombieAgent implants malicious rules directly into an agent’s long-term memory or working notes. This allows the attacker to establish persistence without re-engaging the target. It executes hidden actions every time the agent is used, silently collecting sensitive information over time. It is also capable of propagating the attack across additional contacts or email recipients.
Cyber Technology Insights : Radware Doubles Global Cloud Security Capacity
A single malicious email could therefore become the entry point to a growing, automated, worm-like campaign inside the organization and beyond.
“ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms,” said Pascal Geenens, vice president, threat intelligence, Radware. “Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting.”
Zero-Click Exploitation Through Hidden Instructions
Leveraging techniques learned from ShadowLeak, Radware’s threat intelligence research team discovered the new flaw in the guardrails deployed to protect against prompt injection vulnerabilities. Attackers can embed hidden directives into everyday emails, documents, or webpages. When an AI agent processes this content—such as during routine inbox summarization—the agent interprets the concealed instructions as legitimate commands. Once activated, the compromised agent could collect mailbox data, access sensitive files, and communicate with external servers. No user interaction is required and no “click” is needed to trigger the attack.
Cyber Technology Insights : Radware Expands AI SOC Xpert to New Use Cases, Boosting Efficiency and Threat Response
A defining characteristic of ZombieAgent is that all malicious actions occur within OpenAI’s cloud infrastructure, not the user’s device, nor the companies’ IT environment. As a result, no endpoint logs record the activity. No network traffic passes through corporate security stacks. No traditional security tools such as secure web gateways, endpoint detection and response or firewalls detect the sensitive data exfiltration. Therefore, no traditional alert indicates the compromise to the user. This cloud-side invisibility could make ZombieAgent exceptionally difficult to detect or stop using existing enterprise controls.
ZombieAgent builds on Radware’s earlier “ShadowLeak” findings, further demonstrating how easily attackers can exploit the rapidly expanding “agentic threat surface,” where AI agents read emails, interact with corporate systems, initiate workflows, and make decisions autonomously. Radware disclosed the vulnerability to OpenAI under responsible disclosure protocols.
Cyber Technology Insights : Radware Identifies First-Ever Zero-Click, Server-Side Exploit Targeting ChatGPT
Source: GlobeNewswire
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
