Radware Reveals ZombieAgent Zero-Click Vulnerability Enabling Silent AI Agent Takeover and Data Exfiltration

Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today announced the discovery of ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability affecting OpenAI’s ChatGPT models. The vulnerability could enable attackers to silently hijack AI agents, persist within their memory, and exfiltrate sensitive enterprise data without user interaction […]

Application Security | Artificial Intelligence | Cloud Security | Threat Intelligence

Posted: Monday, Jan 12

KBI.Media
$
Radware Reveals ZombieAgent Zero-Click Vulnerability Enabling Silent AI Agent Takeover and Data Exfiltration

Radware Reveals ZombieAgent Zero-Click Vulnerability Enabling Silent AI Agent Takeover and Data Exfiltration

Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today announced the discovery of ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability affecting OpenAI’s ChatGPT models. The vulnerability could enable attackers to silently hijack AI agents, persist within their memory, and exfiltrate sensitive enterprise data without user interaction or visibility from traditional security controls.

ZombieAgent allows attackers to embed hidden instructions into everyday content such as emails, documents or webpages. When an AI agent processes this content during routine tasks—such as inbox summarisation—the concealed instructions are interpreted as legitimate commands. No click or user action is required to trigger the attack.

Radware researchers found that ZombieAgent builds on the previously disclosed ShadowLeak vulnerability but introduces a more advanced attack stage. In this phase, malicious rules are implanted directly into an agent’s long-term memory or working notes, enabling persistence without further attacker engagement. Once compromised, the agent executes hidden actions every time it is used, silently collecting sensitive information over time and potentially propagating the attack to additional contacts or email recipients.

A single malicious email could therefore serve as the entry point to a growing, automated, worm-like campaign inside an organisation and beyond.

“All malicious activity occurs entirely within the cloud,” said Pascal Geenens, vice president of threat intelligence at Radware. “Enterprises rely on AI agents to access sensitive systems and make decisions, yet they have little visibility into how agents interpret untrusted content or what actions they execute once compromised. This creates a significant blind spot that attackers can exploit.”

A defining characteristic of ZombieAgent is that all data exfiltration and command execution occur within OpenAI’s cloud infrastructure rather than on the user’s device or within the organisation’s IT environment. As a result, no endpoint logs are generated, no network traffic passes through enterprise security stacks, and no alerts are triggered by traditional security tools such as firewalls, secure web gateways or endpoint detection and response platforms.

ZombieAgent highlights the growing risks associated with the expanding agentic threat surface, as AI agents increasingly read emails, interact with corporate systems, initiate workflows and operate autonomously. Radware disclosed the vulnerability to OpenAI under responsible disclosure protocols.

Radware will host a live webinar on 20 January 2026, titled “ZombieAgent: New ChatGPT Vulnerabilities Let Data Theft Continue (and Spread)”, where its researchers will provide a detailed technical breakdown of the attack, along with mitigation strategies and best practices for securing AI agents. Full research findings will be published through Radware’s Security Research Centre following the webinar.