#USA #Las Vegas #AI Security #Zenity #AgentFlayer

Major Vulnerabilities Exposed by Zenity Labs

At the recent Black Hat USA 2025 conference, Zenity Labs unveiled their groundbreaking research on vulnerabilities within major enterprise AI systems, collectively termed 'AgentFlayer.' This alarming discovery outlines a set of 0click exploit chains, which allow attackers to hijack AI agents without requiring any interaction from users. The implications of this research could redefine the security landscape for AI applications in businesses.

Presented by co-founder and CTO Michael Bargury alongside threat researcher Tamir Ishay Sharbat, the findings were shared during their session titled AI Enterprise Compromise 0Click Exploit Methods. The research highlights the inherent risks associated with widely deployed AI agents from major vendors such as OpenAI's ChatGPT, Microsoft Copilot Studio, and Salesforce Einstein.

The Nature of the Threat

Zenity Labs’ findings demonstrate how AI agents can be compromised to perform unauthorized actions autonomously. Attackers can exploit these vulnerabilities to exfiltrate sensitive data, manipulate automated workflows, and bypass the oversight of human operators entirely.

Key Discoveries

1. OpenAI ChatGPT Compromises: Using simple email-triggered prompt injections, attackers can gain access to connected Google Drive accounts and implant malicious memories, turning ChatGPT into a malicious agent capable of corrupting future interactions.
2. Microsoft Copilot Studio Exposures: The research revealed that a customer support agent showcased on stage leaked entire CRM databases, highlighting the presence of over 3,000 susceptible agents in circulation.
3. Manipulation of Salesforce Einstein: Through the creation of malicious support cases, attackers can reroute customer communications to their controlled email addresses, compromising sensitive client data.
4. Exploiting Google Gemini and Microsoft 365 Copilot: These platforms can be coerced into serving as malicious insiders to conduct social engineering attacks, leading to the exfiltration of private conversations via compromised emails and calendar invites.
5. Cursor with Jira MCP Vulnerabilities: Developer credentials can be harvested through weaponized ticket workflows, exposing further layers of enterprise security.

Alarm Bells for Enterprises

According to Zenity’s CEO Ben Kilger, these vulnerabilities reveal a critical gap in security as many organizations remain oblivious to the attack surface created by the rapid adoption of AI agents. He emphasized that businesses relying solely on vendor-provided security mitigations or traditional tools are extremely vulnerable.

The urgency of these vulnerabilities is underscored by the rapid growth of AI tools, as evidenced by ChatGPT’s reported 800 million weekly active users and Microsoft 365 Copilot's tenfold increase in seats over just 17 months. Despite this exponential rise in user adoption, the necessary security controls appear to lag behind, raising pressing concerns about data safety and operational integrity.

Industry Implications and Responses

Following Zenity's responsible disclosure of the vulnerabilities, some vendors, including OpenAI and Microsoft, issued patches. However, others chose not to respond or defended the vulnerabilities as features of the systems. This mixed response sheds light on the current inadequacies in AI agent security approaches.

The research highlights an industry-wide need for prioritization of security measures in the development and deployment of AI technologies. Zenity’s response includes the development of an agent-centric security platform aimed at giving organizations better visibility and control over the behavior of their AI agents. This innovative approach focuses on protecting against the specific threats raised by current research findings.

Moving Toward Solutions

Zenity Labs is committed to equipping defenders with the insights necessary to navigate the evolving threat landscape. Following their presentation, comprehensive research materials, including technical breakdowns and defense strategies, will be available on the Zenity Labs website.

For those attending Black Hat USA 2025, Zenity will showcase live demos of the exploits and offer in-depth discussions on securing AI agents, sharing invaluable practical guidance.

In addition, Zenity will organize the AI Agent Security Summit on October 8 at the Commonwealth Club in San Francisco for a broader discussion on these urgent security challenges. This summit promises to gather thought leaders and experts to strategize effective protections and build resilience against emerging threats in the domain of AI.

Zenity, founded by security professionals from top tech firms, aims to empower enterprises to adopt AI technologies confidently, ensuring that innovations do not come at the cost of security. For more information or to stay updated with their research, visit zenity.io.