TLDR: Zenity Labs has revealed a new class of ‘AgentFlayer’ vulnerabilities, demonstrating 0-click exploits that can silently hijack major enterprise AI agents like ChatGPT, Microsoft Copilot, and Salesforce Einstein, bypassing human oversight and posing significant security risks to sensitive data and operations.
LAS VEGAS – Zenity Labs, a prominent AI security firm, announced today at Black Hat USA 2025 the discovery of widespread ‘AgentFlayer’ vulnerabilities, a comprehensive set of 0-click exploit chains capable of silently compromising enterprise AI agents and assistants without requiring any user interaction. This groundbreaking research signifies a fundamental shift in the AI security landscape, moving towards fully automated attacks.
The ‘AgentFlayer’ exploits have been successfully demonstrated against several leading AI platforms, including OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini, Microsoft 365 Copilot, and developer tools like Cursor with Jira MCP. Michael Bargury, CTO and co-founder of Zenity, emphasized the severity of these findings, stating, “These aren’t theoretical vulnerabilities, they’re working exploits with immediate, real-world consequences.”
Detailed findings from Zenity Labs illustrate the profound impact of these vulnerabilities:
OpenAI ChatGPT was compromised through email-triggered prompt injection, granting attackers access to connected Google Drive accounts. This allowed for the implantation of malicious ‘memories,’ compromising every future session and transforming ChatGPT into a malicious agent.
A Microsoft Copilot Studio customer support agent, previously showcased by Microsoft, was found to be vulnerable to leaking entire CRM databases. Zenity Labs identified over 3,000 such agents in the wild that could reveal their internal tools, making them highly susceptible to exploitation.
Salesforce Einstein was manipulated via malicious case creation, enabling attackers to reroute all customer communications to attacker-controlled email addresses.
Google Gemini and Microsoft 365 Copilot were transformed into ‘malicious insiders,’ capable of social engineering users and exfiltrating sensitive conversations through booby-trapped emails and calendar invites.
Cursor with Jira MCP was exploited to harvest developer credentials through weaponized ticket workflows.
The implications of ‘AgentFlayer’ are far-reaching, as these attacks require zero interaction from users, making them particularly insidious. The ability to silently hijack AI agents circumvents traditional human oversight mechanisms, raising critical concerns for data privacy, operational integrity, and intellectual property within enterprises.
Also Read:
- New AI Vulnerability ‘IdentityMesh’ Exposes Cross-System Exploitation Risks
- Fortifying Autonomous AI: Navigating the Security Landscape of Agentic Systems in the Enterprise
As a research-driven security company, Zenity Labs conducts this threat intelligence to benefit the broader AI community, aiming to equip defenders with insights comparable to those of attackers. The complete research, including technical breakdowns and defense recommendations, will be made available on labs.zenity.io following the Black Hat presentation. Attendees at Black Hat USA 2025 are invited to visit Zenity at booth #5108 for live demonstrations of the exploits, in-depth technical discussions, and practical guidance on securing AI agents in production environments.
