Business
Radware Unveils “ZombieAgent”: A Newly Discovered Zero-Click, AI Agent Vulnerability Enabling Silent Takeover and Cloud-Based Data Exfiltration
The vulnerability directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously from OpenAI servers and could fuel a growing,
About this update from Radware Ltd.
[{"type":"text","content":"The vulnerability directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously from OpenAI servers and could fuel a growing, automated, worm-like attack campaign inside organizations\nMAHWAH, N.J., Jan. 08, 2026 (GLOBE NEWSWIRE) -- Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today announced the discovery of ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability targeting OpenAI’s Deep Research agent. The vulnerability could expose enterprises to invisible data theft, persistent agent hijacking, and service-side execution that could bypass an organization’s security controls. Persistent Memory Manipulation and Autonomous Propagation ZombieAgent initially resembles Radware’s previously disclosed ShadowLeak vulnerability, which shows how indirect prompt injection techniques could be used to influence the behavior of AI agents. However, Radware’s researchers also identified a more advanced attack stage in which ZombieAgent implants malicious rules directly into an agent’s long-term memory or working notes. This allows the attacker to establish persistence without re-engaging the target. It executes hidden actions every time the agent is used, silently collecting sensitive information over time. It is also capable of propagating the attack across additional contacts or email recipients. A single malicious email could therefore become the entry point to a growing, automated, worm-like campaign inside the organization and beyond. “ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms,” said Pascal Geenens, vice president, threat intelligence, Radware. “Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting.” Zero-Click Exploitation Through Hidden Instructions Leveraging techniques learned from ShadowLeak, Radware’s threat intelligence research team discovered the new flaw in the guardrails deployed to protect against prompt injection vulnerabilities. Attackers can embed hidden directives into everyday emails, documents, or webpages. When an AI agent processes this content—su...