.jpg)
Radware has announced the discovery of "ZombieAgent," a sophisticated zero-click indirect prompt injection vulnerability targeting OpenAI's Deep Research agent. This critical flaw could allow attackers to silently hijack AI agents, implant persistent malicious instructions, and exfiltrate sensitive data directly from cloud servers, all without triggering traditional enterprise security controls or requiring user interaction.
Radware discovers "ZombieAgent," a zero-click vulnerability in OpenAI's Deep Research agent.
The flaw allows attackers to embed hidden instructions in emails/docs that the agent executes.
It enables persistent memory manipulation, turning the agent into a silent data collection tool.
All malicious actions occur in OpenAI's cloud, bypassing corporate network and endpoint security.
The attack can propagate autonomously, creating a worm-like campaign inside an organization.
Radware has disclosed the vulnerability to OpenAI under responsible disclosure protocols.
ZombieAgent represents an evolution of previously disclosed techniques like Radware's "ShadowLeak." The advanced danger lies in its ability to implant malicious rules directly into an AI agent's long-term memory or working notes. This grants persistence, meaning the compromised agent executes hidden actions every time it is used, continuously collecting sensitive information. Furthermore, the attack can self-propagate by spreading to additional contacts or email recipients, potentially initiating an automated, worm-like campaign from a single malicious email.
Pascal Geenens, vice president of threat intelligence at Radware, highlighted the systemic risk. “ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms. Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot.”
A defining and particularly dangerous characteristic of ZombieAgent is its operational domain. All malicious activity—including data collection and exfiltration—occurs within OpenAI's cloud infrastructure. Because no malicious traffic passes through the corporate network and no code executes on the user's endpoint, traditional security tools like firewalls, secure web gateways, and endpoint detection and response (EDR) systems are completely blind to the attack. This cloud-side invisibility makes detection exceptionally difficult using existing enterprise security controls.
The attack exploits the AI agent's routine tasks, such as summarizing an inbox or reading documents. Attackers can embed hidden directives within everyday content like emails. When the agent processes this content, it interprets the concealed instructions as legitimate commands, enabling actions like collecting mailbox data, accessing files, and communicating with external servers—all without a user click.
This discovery underscores the rapidly expanding "agentic threat surface," where autonomous AI agents with access to corporate systems and data become new targets for exploitation. Radware has disclosed the vulnerability to OpenAI and will host a detailed webinar on January 20, 2026, to discuss the findings and defensive best practices.
About Radware
Radware® is a global leader in application security and delivery solutions for multi-cloud environments. The company’s cloud application, infrastructure, and API security solutions use AI-driven algorithms for precise, hands-free, real-time protection from the most sophisticated web, application, and DDoS attacks, API abuse, and bad bots. Enterprises and carriers worldwide rely on Radware’s solutions to address evolving cybersecurity challenges and protect their brands and business operations while reducing costs.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.