Radware reveals a new zero-click prompt injection flaw called ‘ZombieAgent’ that targets OpenAI’s Deep Research agent, risking silent data exfiltration and agent hijacking across organisations, with full technical details to be disclosed in January 2026.
Radware has disclosed a newly discovered zero-click indirect prompt injection vulnerability it calls “ZombieAgent” that it says targets OpenAI’s Deep Research agent and could enable invisible, persistent data theft and agent hijacking across enterprise environments. According to Radware’s press release, the flaw allows attackers to implant malicious rules into an agent’s long-term memory or working notes so that the agent executes hidden actions every time it is used, silently collecting sensitive information and potentially propagating across contacts and recipients. [1][2]
Radware frames ZombieAgent as an advance on its earlier ShadowLeak research, describing a multi‑stage attack that begins with what appears to be a normal email, document or webpage containing concealed directives. When a connected AI agent processes that content, for example during routine inbox summarisation, the agent interprets the embedded instructions as legitimate commands. Radware says this enables zero‑click exploitation with no user interaction required. According to the company, because the malicious activity executes within OpenAI’s cloud infrastructure rather than on corporate endpoints, traditional enterprise controls such as secure web gateways, endpoint detection and response, and firewalls would not log or detect the exfiltration. [1][3][4]
“ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms,” Pascal Geenens, vice president, threat intelligence at Radware, said in the company’s announcement. He warned that enterprises often lack visibility into how agents interpret untrusted content or what actions they execute in the cloud, creating a “dangerous blind spot” attackers can exploit. The comments were included in Radware’s Globe Newswire release. [1]
Radware has presented ZombieAgent as part of a broader pattern of threats arising from the expanding “agentic” attack surface, where autonomous agents read email, interact with systems, initiate workflows and make decisions. Industry reporting and Radware’s prior advisories on ShadowLeak documented a similar server‑side risk: attackers embedding instructions that cause an AI agent to leak data directly from the provider’s infrastructure. According to Radware’s ShadowLeak advisory, OpenAI previously confirmed and fixed the related issue after responsible disclosure. [3][4][7]
The company disclosed ZombieAgent to OpenAI under responsible disclosure protocols and said it will publish a full technical breakdown and defensive recommendations through its Security Research Center following a live webinar scheduled for 20 January 2026. Radware invited security leaders and AI developers to attend the webinar, which it says will explore the attack’s anatomy and best practices for securing AI agents. The announcement reiterates Radware’s broader threat research agenda and its positioning as a provider of AI‑driven application and infrastructure security. [1][2][6]
Radware’s new advisory dovetails with its other research on malicious bots and agent impersonation, which warns that agent modes and POST‑capable interfaces undermine traditional bot mitigation assumptions. That earlier work argues that attackers can exploit API and agent behaviours to masquerade as legitimate services, further complicating detection and mitigation for organisations that rely on third‑party AI platforms. According to Radware, these combined weaknesses demand new defensive approaches that consider server‑side agent behaviour as part of enterprise risk models. [5]
Experts and organisations using agentic AI should take Radware’s disclosure as an early warning to assess how external AI agents are configured, what permissions they hold, and whether logs and monitoring capture agent interactions and cloud‑side actions. Industry data and Radware’s advisories suggest that reliance on conventional perimeter and endpoint controls alone will be insufficient where sensitive data is processed by provider‑hosted agents; organisations will likely need tighter access controls, stricter data handling policies for agent integrations, and provider‑level mitigations to reduce the risk of stealthy server‑side exfiltration. [3][4][5]
##Reference Map:
- [1] (Globe Newswire) – Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 5
- [2] (Globe Newswire / Radware release summary) – Paragraph 1, Paragraph 5
- [3] (Radware ShadowLeak advisory page) – Paragraph 2, Paragraph 4, Paragraph 7
- [4] (Radware ShadowLeak PDF advisory) – Paragraph 2, Paragraph 4, Paragraph 7
- [5] (Radware report “The AI identity dilemma”) – Paragraph 6, Paragraph 7
- [6] (StockTitan summary) – Paragraph 5
- [7] (Dataconomy coverage of ShadowLeak) – Paragraph 4
Source: Noah Wire Services
Noah Fact Check Pro
The draft above was created using the information available at the time the story first
emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed
below. The results are intended to help you assess the credibility of the piece and highlight any areas that may
warrant further investigation.
Freshness check
Score:
8
Notes:
The narrative presents a recent discovery by Radware, dated January 8, 2026, detailing the ‘ZombieAgent’ zero-click vulnerability in OpenAI’s Deep Research agent. This is a new development, with no prior reports found in the past seven days. The content is original and not recycled from previous news. The report is based on Radware’s press release, which typically warrants a high freshness score. No discrepancies in figures, dates, or quotes were identified. The inclusion of updated data alongside older material is noted, but the recent update justifies a higher freshness score.
Quotes check
Score:
10
Notes:
The direct quotes from Pascal Geenens, vice president of threat intelligence at Radware, and other statements are unique to this report. No identical quotes appear in earlier material, indicating original content. No variations in quote wording were found, and no online matches were identified, suggesting potentially exclusive content.
Source reliability
Score:
9
Notes:
The narrative originates from Radware, a reputable cybersecurity company known for its expertise in application security and threat intelligence. The report is based on Radware’s press release, which is a direct source of information. The press release is hosted on GlobeNewswire, a legitimate news distribution service. No unverifiable entities or fabricated information were identified.
Plausability check
Score:
9
Notes:
The claims about the ‘ZombieAgent’ vulnerability align with Radware’s previous research on similar vulnerabilities, such as ‘ShadowLeak’. The technical details provided are consistent with known cybersecurity threats involving AI agents. The narrative lacks supporting detail from other reputable outlets, which is noted as a limitation. The language and tone are consistent with typical corporate communications from Radware. No excessive or off-topic details were found, and the tone is appropriately formal and informative.
Overall assessment
Verdict (FAIL, OPEN, PASS): PASS
Confidence (LOW, MEDIUM, HIGH): HIGH
Summary:
The narrative presents a recent and original report from Radware about a new zero-click vulnerability in OpenAI’s Deep Research agent. The content is fresh, with no prior reports found in the past seven days. The quotes are unique and potentially exclusive. The source is reliable, originating from Radware’s press release. The claims are plausible and consistent with known cybersecurity threats, though lacking supporting detail from other reputable outlets. Overall, the narrative passes the fact-check with high confidence.
Supercharge Your Content Strategy
Feel free to test this content on your social media sites to see whether it works for your community.
