AI Market Logo
Login Sign Up
BTC $43,552.88 -0.46%
ETH $2,637.32 +1.23%
BNB $312.45 +0.87%
SOL $92.40 +1.16%
XRP $0.5234 -0.32%
ADA $0.8004 +3.54%
AVAX $32.11 +1.93%
DOT $19.37 -1.45%
MATIC $0.8923 +2.67%
LINK $14.56 +0.94%
HAIA $0.1250 +2.15%
BTC $43,552.88 -0.46%
ETH $2,637.32 +1.23%
BNB $312.45 +0.87%
SOL $92.40 +1.16%
XRP $0.5234 -0.32%
ADA $0.8004 +3.54%
AVAX $32.11 +1.93%
DOT $19.37 -1.45%
MATIC $0.8923 +2.67%
LINK $14.56 +0.94%
HAIA $0.1250 +2.15%
Zenity Labs Exposes Widespread AgentFlayer Vulnerabilities Allowing Silent Hijacking of Major Enterprise AI Agents Circumventing Human Oversight
ai-security

Zenity Labs Exposes Widespread AgentFlayer Vulnerabilities Allowing Silent Hijacking of Major Enterprise AI Agents Circumventing Human Oversight

Zenity Labs reveals AgentFlayer vulnerabilities enabling silent, zero-click hijacking of major enterprise AI agents, bypassing human oversight.

August 7, 2025
5 min read
Zenity

Zenity Labs reveals AgentFlayer vulnerabilities enabling silent, zero-click hijacking of major enterprise AI agents, bypassing human oversight.

Zenity Labs Exposes AgentFlayer Vulnerabilities Allowing Silent Hijacking of Enterprise AI Agents

At Black Hat USA 2025, Zenity Labs revealed AgentFlayer, a comprehensive set of zero-click exploit chains that enable attackers to silently compromise enterprise AI agents and assistants without any user interaction. Presented by Zenity co-founder and CTO Michael Bargury and threat researcher Tamir Ishay Sharbat in their session, AI Enterprise Compromise: 0Click Exploit Methods, this research demonstrates how widely deployed AI agents from major vendors can be hijacked to exfiltrate data, manipulate workflows, and autonomously operate across enterprise systems—all without users being aware.

Key Findings

  • OpenAI ChatGPT was compromised via email-triggered prompt injection, granting attackers access to connected Google Drive accounts, implanting malicious memories, compromising all future sessions, and transforming ChatGPT into a malicious agent.
  • Microsoft Copilot Studio customer support agents were shown to leak entire CRM databases. Over 3,000 such agents exist publicly, exposing internal tools vulnerable to exploitation.
  • Salesforce Einstein was manipulated through malicious case creation to reroute all customer communications to attacker-controlled email addresses.
  • Google Gemini and Microsoft 365 Copilot were turned into malicious insiders, social engineering users and exfiltrating sensitive conversations via booby-trapped emails and calendar invites.
  • Cursor with Jira MCP was exploited to harvest developer credentials through weaponized ticket workflows.

    • Industry Impact

    Michael Bargury, CTO and co-founder of Zenity, emphasized, "These aren't theoretical vulnerabilities, they're working exploits with immediate, real-world consequences. We demonstrated memory persistence and how attackers can silently hijack AI agents to exfiltrate sensitive data, impersonate users, manipulate critical workflows, and move across enterprise systems, bypassing the human entirely. Attackers can compromise your agent instead of targeting you, with similar consequences." Ben Kilger, CEO of Zenity, added, "The rapid adoption of AI agents has created an attack surface that most organizations don't even know exists. Our research shows current security approaches are fundamentally misaligned with how AI agents operate. While vendors promise AI safety, attackers are already exploiting these systems in production. This is why Zenity has built the industry's first agent-centric security platform—to give enterprises the visibility and control they desperately need."

    Vendor Responses and Challenges

    Following responsible disclosure, some vendors like OpenAI and Microsoft Copilot Studio issued patches. However, several vendors declined to address the vulnerabilities, citing them as intended functionality. This mixed response highlights a critical gap in AI agent security across the industry.

    The Growing Threat Landscape

    With ChatGPT reaching 800 million weekly active users and Microsoft 365 Copilot seats growing tenfold in just 17 months, enterprises are rapidly deploying AI agents without adequate security controls. Zenity Labs warns that relying solely on vendor mitigations or traditional security tools leaves organizations vulnerable to a new class of automated, zero-interaction attacks.

    Moving Forward: Defense and Awareness

    Zenity Labs, as a research-driven security company, provides threat intelligence to the wider AI community, ensuring defenders have the same insights as attackers. Full technical breakdowns and defense recommendations will be available at labs.zenity.io following the presentation.

    Events and Demonstrations

    Attendees at Black Hat USA 2025 can visit Zenity at booth #5108 for live exploit demonstrations, technical discussions, and practical guidance on securing AI agents in production. For those unable to attend, Zenity will host deeper discussions at the AI Agent Security Summit 2025 on October 8 at the Commonwealth Club in San Francisco. Reserve your spot here.

    About Zenity

    Zenity is an agent-centric security and governance platform that provides enterprises with visibility and control over AI agent behavior—monitoring what they access, their actions, and the tools they invoke. It offers full-lifecycle protection across SaaS, custom agent platforms, and end-user devices. Founded by security researchers and engineers from Microsoft, Meta, and Unit 8200, Zenity enables organizations to embrace AI innovation without compromising security. Learn more at zenity.io.

    About Zenity Labs

    Zenity Labs is the threat research arm of Zenity, dedicated to uncovering and responsibly disclosing vulnerabilities in AI systems. Through cutting-edge research and real-world attack simulations, Zenity Labs helps organizations understand and defend against emerging AI threats. Subscribe to research updates at labs.zenity.io.

    Media Contact

    Diana Diaz Force4 Technology Communications diana.diaz@force4.co
    Source: Zenity Labs Exposes Widespread AgentFlayer Vulnerabilities

    Frequently Asked Questions (FAQ)

    What is AgentFlayer?

    AgentFlayer is a set of zero-click exploit chains developed by Zenity Labs that can silently compromise enterprise AI agents and assistants without any user interaction.

    What kind of vulnerabilities does AgentFlayer exploit?

    AgentFlayer exploits vulnerabilities in widely deployed AI agents from major vendors, enabling attackers to exfiltrate data, manipulate workflows, and autonomously operate across enterprise systems. Examples include prompt injection attacks and other methods that allow for silent hijacking.

    Which AI agents have been shown to be vulnerable?

    The research has demonstrated vulnerabilities in OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini, and Microsoft 365 Copilot. Cursor with Jira MCP was also exploited for credential harvesting.

    What are the potential consequences of an AgentFlayer attack?

    Attackers can silently hijack AI agents to exfiltrate sensitive data, impersonate users, manipulate critical workflows, and move laterally across enterprise systems, often without the user's knowledge.

    What is Zenity's solution to this problem?

    Zenity offers an agent-centric security platform designed to provide enterprises with the visibility and control needed to manage AI agent behavior, monitor their access and actions, and secure against emerging threats.

    What has been the industry response to these findings?

    Following responsible disclosure, some vendors like OpenAI and Microsoft Copilot Studio have released patches. However, other vendors have declined to address the vulnerabilities, considering them intended functionality, highlighting a significant gap in AI agent security.

    What is Zenity Labs' role in addressing AI security?

    Zenity Labs is the threat research arm of Zenity, focused on uncovering and responsibly disclosing vulnerabilities in AI systems. They provide threat intelligence to the AI community to help defenders understand and counter emerging AI threats.

    Crypto Market AI's Take

    The findings from Zenity Labs regarding AgentFlayer highlight a critical and evolving threat landscape in the realm of enterprise AI. The ability to silently compromise and hijack AI agents underscores the need for robust, agent-centric security solutions. At Crypto Market AI, we are deeply invested in the intersection of AI and finance, and this research reinforces our commitment to understanding and mitigating risks associated with AI deployment. Our platform leverages AI for market analysis and trading strategies, and we recognize the paramount importance of securing these AI systems. For organizations looking to navigate the complexities of AI security, understanding these vulnerabilities is key. We believe that proactive security measures and continuous vigilance are essential for safe and effective AI adoption. For more insights into how AI is transforming financial markets and the associated security considerations, explore our resources on AI agents in finance and AI-driven crypto trading.

    More to Read:

  • AI Agents: Capabilities, Risks, and Growing Role
  • The Future of AI in Cybersecurity
  • Understanding the Latest AI-Driven Crypto Scams