{"id":20308,"date":"2026-01-08T12:36:00","date_gmt":"2026-01-08T12:36:00","guid":{"rendered":"https:\/\/sawahsolutions.com\/alpha\/radware-uncovers-zombieagent-a-zero-click-ai-vulnerability-enabling-stealth-data-theft-in-enterprises\/"},"modified":"2026-01-08T13:07:40","modified_gmt":"2026-01-08T13:07:40","slug":"radware-uncovers-zombieagent-a-zero-click-ai-vulnerability-enabling-stealth-data-theft-in-enterprises","status":"publish","type":"post","link":"https:\/\/sawahsolutions.com\/alpha\/radware-uncovers-zombieagent-a-zero-click-ai-vulnerability-enabling-stealth-data-theft-in-enterprises\/","title":{"rendered":"Radware uncovers ‘ZombieAgent’, a zero-click AI vulnerability enabling stealth data theft in enterprises"},"content":{"rendered":"

<\/p>\n

\n

Radware reveals a new zero-click prompt injection flaw called ‘ZombieAgent’ that targets OpenAI\u2019s Deep Research agent, risking silent data exfiltration and agent hijacking across organisations, with full technical details to be disclosed in January 2026.<\/p>\n<\/div>\n

\n

Radware has disclosed a newly discovered zero-click indirect prompt injection vulnerability it calls “ZombieAgent” that it says targets OpenAI\u2019s Deep Research agent and could enable invisible, persistent data theft and agent hijacking across enterprise environments. According to Radware\u2019s press release, the flaw allows attackers to implant malicious rules into an agent\u2019s long-term memory or working notes so that the agent executes hidden actions every time it is used, silently collecting sensitive information and potentially propagating across contacts and recipients. [1]<\/a><\/sup>[2]<\/a><\/sup><\/p>\n

Radware frames ZombieAgent as an advance on its earlier ShadowLeak research, describing a multi\u2011stage attack that begins with what appears to be a normal email, document or webpage containing concealed directives. When a connected AI agent processes that content, for example during routine inbox summarisation, the agent interprets the embedded instructions as legitimate commands. Radware says this enables zero\u2011click exploitation with no user interaction required. According to the company, because the malicious activity executes within OpenAI\u2019s cloud infrastructure rather than on corporate endpoints, traditional enterprise controls such as secure web gateways, endpoint detection and response, and firewalls would not log or detect the exfiltration. [1]<\/a><\/sup>[3]<\/a><\/sup>[4]<\/a><\/sup><\/p>\n

\u201cZombieAgent illustrates a critical structural weakness in today\u2019s agentic AI platforms,\u201d Pascal Geenens, vice president, threat intelligence at Radware, said in the company\u2019s announcement. He warned that enterprises often lack visibility into how agents interpret untrusted content or what actions they execute in the cloud, creating a \u201cdangerous blind spot\u201d attackers can exploit. The comments were included in Radware\u2019s Globe Newswire release. [1]<\/a><\/sup><\/p>\n

Radware has presented ZombieAgent as part of a broader pattern of threats arising from the expanding “agentic” attack surface, where autonomous agents read email, interact with systems, initiate workflows and make decisions. Industry reporting and Radware\u2019s prior advisories on ShadowLeak documented a similar server\u2011side risk: attackers embedding instructions that cause an AI agent to leak data directly from the provider\u2019s infrastructure. According to Radware\u2019s ShadowLeak advisory, OpenAI previously confirmed and fixed the related issue after responsible disclosure. [3]<\/a><\/sup>[4]<\/a><\/sup>[7]<\/a><\/sup><\/p>\n

The company disclosed ZombieAgent to OpenAI under responsible disclosure protocols and said it will publish a full technical breakdown and defensive recommendations through its Security Research Center following a live webinar scheduled for 20 January 2026. Radware invited security leaders and AI developers to attend the webinar, which it says will explore the attack\u2019s anatomy and best practices for securing AI agents. The announcement reiterates Radware\u2019s broader threat research agenda and its positioning as a provider of AI\u2011driven application and infrastructure security. [1]<\/a><\/sup>[2]<\/a><\/sup>[6]<\/a><\/sup><\/p>\n

Radware\u2019s new advisory dovetails with its other research on malicious bots and agent impersonation, which warns that agent modes and POST\u2011capable interfaces undermine traditional bot mitigation assumptions. That earlier work argues that attackers can exploit API and agent behaviours to masquerade as legitimate services, further complicating detection and mitigation for organisations that rely on third\u2011party AI platforms. According to Radware, these combined weaknesses demand new defensive approaches that consider server\u2011side agent behaviour as part of enterprise risk models. [5]<\/a><\/sup><\/p>\n

Experts and organisations using agentic AI should take Radware\u2019s disclosure as an early warning to assess how external AI agents are configured, what permissions they hold, and whether logs and monitoring capture agent interactions and cloud\u2011side actions. Industry data and Radware\u2019s advisories suggest that reliance on conventional perimeter and endpoint controls alone will be insufficient where sensitive data is processed by provider\u2011hosted agents; organisations will likely need tighter access controls, stricter data handling policies for agent integrations, and provider\u2011level mitigations to reduce the risk of stealthy server\u2011side exfiltration. [3]<\/a><\/sup>[4]<\/a><\/sup>[5]<\/a><\/sup><\/p>\n

##Reference Map:<\/p>\n