TLDR: Cybersecurity firm Radware has revealed a critical zero-click, server-side vulnerability dubbed “ShadowLeak” in OpenAI’s ChatGPT Deep Research agent. This exploit allows attackers to silently exfiltrate sensitive data from OpenAI servers without any user interaction or visible traces, posing a new class of threat to the growing number of enterprise AI users.
Cybersecurity leader Radware has announced the discovery of a groundbreaking and highly concerning vulnerability, named “ShadowLeak,” affecting OpenAI’s ChatGPT Deep Research agent. This previously undocumented flaw represents the first known zero-click, server-side exploit of its kind, enabling attackers to covertly exfiltrate sensitive customer data without any user interaction or detectable network-level evidence.
The vulnerability was identified by Radware’s Security Research Center (RSRC) and responsibly disclosed to OpenAI on June 18, 2025. OpenAI acknowledged the issue and confirmed that a fix was implemented on September 3, 2025. Radware has publicly commended OpenAI’s cooperation and commitment to the security of the broader AI ecosystem.
How “ShadowLeak” Operates
Radware researchers, including Gabi Nakibly and Zvika Babo, with contributions from Maor Uziel, demonstrated that the ShadowLeak attack can be triggered by simply sending a specially crafted malicious email to a user. Crucially, the recipient does not need to open, click, or even view the message. Once ChatGPT’s Deep Research agent engages with the email in the background, the system autonomously extracts confidential data directly from OpenAI servers. This process leaves no visible cues to the victim and no traces on endpoint or network logs, making detection extremely difficult for businesses relying on traditional security tools.
David Aviv, Chief Technology Officer at Radware, emphasized the severity of the exploit, stating, “This is the quintessential zero-click attack. There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.”
Implications for Enterprise AI Adoption
The discovery comes at a critical juncture, as enterprise adoption of AI agents like ChatGPT is rapidly expanding. In August 2025, OpenAI Vice President of Product, Nick Turley, reported that ChatGPT had reached 5 million paying business users. Radware warns that this growing reliance on AI agents, combined with their autonomous capabilities and integration with sensitive business data, introduces an entirely new category of risks.
Pascal Geenens, Director of Cyber Threat Intelligence at Radware, highlighted these broader implications: “Enterprises adopting AI cannot rely on built-in safeguards alone to prevent abuse. Our research highlights that the combination of AI autonomy, SaaS services and integration with customers’ sensitive data sources introduces an entirely new class of risks. AI-driven workflows can be manipulated in ways not yet anticipated, and these attack vectors often bypass the visibility and detection capabilities of traditional security solutions.”
Security teams are urged to adapt their defenses to account for autonomous AI behaviors and consider server-side AI activity as a critical threat vector, as traditional endpoint or network-based security solutions may prove insufficient.
Also Read:
- Notion 3.0 AI Agents Vulnerable to Data Exfiltration via Malicious Documents
- SpamGPT: AI-Powered Tool Revolutionizes Cybercrime, Lowering Barriers for Phishing and Ransomware
Radware plans to host a detailed webinar on October 16, 2025, to provide a full technical breakdown of the ShadowLeak attack and offer defense recommendations to the cybersecurity community.
