Radware Finds Zero-Click AI Flaw Exposing OpenAI Agents

Radware has revealed a newly identified AI security threat called ZombieAgent, a zero-click indirect prompt injection (IPI) vulnerability that targets OpenAI’s Deep Research agent and could place enterprises at serious risk. According to Radware, the flaw enables silent data extraction, long-term agent manipulation, and service-side execution that can bypass traditional enterprise security defenses.

Unlike earlier prompt injection attacks, ZombieAgent does not require any user action. Instead, attackers can hide malicious instructions inside normal business content such as emails, documents, or webpages. When AI agents process this material during standard tasks like inbox summaries or research workflows, they unknowingly activate the concealed commands. As a result, compromised agents may start collecting mailbox data, accessing sensitive corporate files, and communicating with external systems without alerting users or IT teams.

What makes ZombieAgent particularly dangerous is its ability to maintain persistence. While the attack resembles Radware’s previously reported ShadowLeak vulnerability, researchers uncovered a more advanced stage in which malicious rules embed themselves directly into the agent’s memory or internal notes. Consequently, the AI continues executing hidden actions every time it runs, even if the original malicious content is no longer present. Over time, the agent can quietly gather sensitive data and spread the attack to new contacts through automated communication.

Moreover, Radware warns that a single infected email could spark a growing worm-like campaign across departments and even outside the organization. Since AI agents routinely interact with multiple systems and people, the attack surface expands rapidly once the infection begins.

Another alarming aspect of ZombieAgent is where the attack operates. All malicious actions occur within OpenAI’s cloud infrastructure rather than on employee devices or corporate networks. Therefore, endpoint detection tools, firewalls, secure web gateways, and network monitoring platforms see nothing unusual. No logs capture the data transfer, and no alerts notify administrators of the breach. This cloud-side invisibility allows attackers to operate undetected while harvesting sensitive enterprise information.

Radware explains that ZombieAgent highlights a growing “agentic threat surface,” where AI tools autonomously read emails, trigger workflows, and make operational decisions. As businesses increasingly depend on AI agents for productivity and automation, attackers gain more opportunities to exploit trusted systems through manipulated content.

To address the issue responsibly, Radware disclosed the vulnerability to OpenAI following standard security reporting procedures. The company also published technical research explaining how attackers bypass current guardrails designed to prevent prompt injection attacks.

Radware will also release complete technical documentation and mitigation guidance through its Security Research Center after the webinar. These materials aim to help enterprises strengthen oversight of AI agents and limit exposure to invisible cloud-based exploits.

Pascal Geenens, Vice President, Threat Intelligence, Radware, stated:

"ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms. Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting."

Overall, the ZombieAgent discovery underscores the urgent need for stronger monitoring, validation, and security controls around AI agents as organizations accelerate adoption of autonomous AI across business operations.

To join our expert panel discussions, reach out to info@intentamplify.com

Recommended News

• Crittora Launches Cryptographic Trust for Agentic AI
• Mutare Launches Voice Traffic Score for Webex Security
• Concentrix Launches Pre-Built Conversational AI Agents