Radware has disclosed a newly identified artificial intelligence vulnerability dubbed “ZombieAgent”, warning that it could enable silent, zero-click compromise of enterprise AI agents and autonomous exfiltration of sensitive data from cloud environments.
According to Radware, the vulnerability affects OpenAI’s ChatGPT models and represents an advanced form of indirect prompt injection (IPI). Unlike traditional prompt-based attacks that require user interaction, ZombieAgent can be triggered without any clicks or explicit user action, making it particularly difficult for organisations to detect or contain.
Radware said ZombieAgent allows attackers to implant malicious instructions directly into an AI agent’s long-term memory or working notes. Once embedded, the malicious logic persists across sessions and executes automatically each time the agent is used. This enables ongoing data collection, agent hijacking and the potential spread of the attack to additional users or systems.
In practical terms, a single malicious email, document or webpage could serve as the initial infection vector. When an AI agent processes the content—for example, while summarising emails or reviewing documents—it may unknowingly interpret hidden instructions as legitimate commands. The compromised agent can then collect sensitive mailbox data, access files and communicate with external servers, all without user awareness.
Radware warned that ZombieAgent’s most concerning characteristic is that the malicious activity occurs entirely within the AI service provider’s cloud infrastructure. Because the execution and data exfiltration happen on the service side, rather than on endpoints or corporate networks, traditional security controls such as firewalls, secure web gateways and endpoint detection and response tools may see no indicators of compromise.
“No endpoint logs record the activity. No network traffic passes through corporate security stacks. And no traditional alert indicates the compromise to the user,” Radware said, describing the attack as effectively invisible to existing enterprise defences.
The company said ZombieAgent builds on its earlier “ShadowLeak” research, which demonstrated how indirect prompt injection techniques could influence AI agent behaviour. The new findings show a more advanced stage of exploitation, where attackers can achieve persistence and autonomous propagation, creating what Radware described as a “worm-like” attack capability inside organisations.
Pascal Geenens, Radware’s vice president of threat intelligence, said the discovery highlights a fundamental weakness in current agentic AI platforms.
“Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud,” Geenens said. “This creates a dangerous blind spot that attackers are already exploiting.”
Radware said it disclosed the ZombieAgent vulnerability to OpenAI under responsible disclosure protocols. The company warned that as AI agents become more deeply embedded in enterprise workflows—reading emails, initiating actions and interacting with sensitive systems—the “agentic threat surface” will continue to expand, requiring new approaches to visibility, governance and security controls beyond traditional perimeter and endpoint models.
