From c853695f606ef290be1c51ad423fac8bebfb18a9 Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 09:20:30 +0300 Subject: [PATCH 1/9] Update ASI_Agentic_Exploits_Incidents.md --- .../ASI_Agentic_Exploits_Incidents.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 751fc576..1943b95a 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -17,18 +17,18 @@ Similarly, any aspects relating to incident response should be discussed with th | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis | |------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | - | -| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | - | -| **Hub MCP Prompt Injection (Cross-Context)** | *(details missing)* | *(unspecified)* | - | -| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | - | -| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | - | -| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | - | -| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | - | -| **ToolShell RCE via SharePoint – CVE-2025-5377 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | - | -| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | - | -| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | - | -| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | - | -| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | - | -| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | - | +| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [NVD — CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711) | +| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• — | +| **Hub MCP Prompt Injection (Cross-Context)** | *(details missing)* | *(unspecified)* | • [MCP Inspector](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [NVD — CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | +| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • —
• — | +| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• — | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS Security Bulletin](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [NVD — CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) | +| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google Gemini CLI](https://github.com/google-gemini/gemini-cli/releases)
• — | +| **ToolShell RCE via SharePoint – CVE-2025-5377 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft MSRC](https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770)
• [NVD — CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) | +| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• — | +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • [OpenAI Operator](https://openai.com/index/operator-system-card)
• [NVD — CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021) | +| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • [Microsoft Copilot Studio](https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-end-user-authentication)
• — | +| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [GitHub Advisory DB](https://github.com/advisories/ghsa-69jq-qr7w-j7qh)
• [NVD — CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) | +| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• — | --- From fb806d7f4acd48dc96f675efba61445c89182734 Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 15:32:52 +0300 Subject: [PATCH 2/9] Update links --- .../ASI_Agentic_Exploits_Incidents.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 1943b95a..38111f24 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -15,20 +15,20 @@ Similarly, any aspects relating to incident response should be discussed with th ## Exploits & Incidents Table -| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis | +| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [NVD — CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711) | -| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• — | -| **Hub MCP Prompt Injection (Cross-Context)** | *(details missing)* | *(unspecified)* | • [MCP Inspector](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [NVD — CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | -| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • —
• — | -| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• — | -| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS Security Bulletin](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [NVD — CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) | -| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google Gemini CLI](https://github.com/google-gemini/gemini-cli/releases)
• — | -| **ToolShell RCE via SharePoint – CVE-2025-5377 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft MSRC](https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770)
• [NVD — CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) | -| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• — | -| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • [OpenAI Operator](https://openai.com/index/operator-system-card)
• [NVD — CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021) | -| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • [Microsoft Copilot Studio](https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-end-user-authentication)
• — | -| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [GitHub Advisory DB](https://github.com/advisories/ghsa-69jq-qr7w-j7qh)
• [NVD — CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) | -| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• — | +| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [NVD — CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | +| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• —
• [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) | +| **Hub MCP Prompt Injection (Cross-Context)** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | ASI01 (Agent Behaviour Hijack)
ASI02 (Tool Misuse & Exploitation)
ASI05 (Unexpected Code Execution) | • [MCP Inspector](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [NVD — CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| +| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases)
• —
• [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet) | +| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• —
• [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks) | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS Security Bulletin](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [NVD — CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | +| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google Gemini](https://github.com/google-gemini/gemini-cli/issues/4586)
• — | +| **ToolShell RCE via SharePoint – CVE-2025-53770 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [NVD — CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | +| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• —
• [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)| +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
[NVD — CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
[Google Security Research](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| +| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
[Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| +| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD — CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | +| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| --- From 0e750b6f187189aec3b3951c3e92f4b6588947ba Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 16:34:27 +0300 Subject: [PATCH 3/9] adjust spaces, wording and dates --- .../ASI_Agentic_Exploits_Incidents.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 38111f24..58238e62 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -15,20 +15,20 @@ Similarly, any aspects relating to incident response should be discussed with th ## Exploits & Incidents Table -| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | +| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [NVD — CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | -| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• —
• [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) | -| **Hub MCP Prompt Injection (Cross-Context)** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | ASI01 (Agent Behaviour Hijack)
ASI02 (Tool Misuse & Exploitation)
ASI05 (Unexpected Code Execution) | • [MCP Inspector](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [NVD — CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| +| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | +| **GitPublic Issue Repo Hijack – May 2025** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• —
• [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) | +| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| | **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases)
• —
• [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet) | | **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• —
• [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks) | -| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS Security Bulletin](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [NVD — CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | -| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google Gemini](https://github.com/google-gemini/gemini-cli/issues/4586)
• — | -| **ToolShell RCE via SharePoint – CVE-2025-53770 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [NVD — CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | +| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586)
• — | +| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | | **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• —
• [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)| -| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
[NVD — CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
[Google Security Research](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| -| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
[Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| -| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD — CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
• [CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
• [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| +| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
• [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| +| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| --- From 9537b5787dc03f9cb2676bc3c7ca74ac49b7b677 Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 16:37:02 +0300 Subject: [PATCH 4/9] trim CVE --- .../ASI_Agentic_Exploits_Incidents.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 58238e62..8b615357 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -17,18 +17,18 @@ Similarly, any aspects relating to incident response should be discussed with th | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [CVE-2025-32711](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | +| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | | **GitPublic Issue Repo Hijack – May 2025** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• —
• [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) | -| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| +| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| | **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases)
• —
• [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet) | | **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• —
• [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks) | -| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [CVE-2025-8217](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | | **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586)
• — | -| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [CVE-2025-53770](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | +| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | | **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• —
• [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)| -| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
• [CVE-2025-7021](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
• [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
• [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| | **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
• [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| -| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [CVE-2025-26319](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | +| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| --- From 61cf50f2e304c1498388b4b23dd7a7ab1577feef Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 16:47:39 +0300 Subject: [PATCH 5/9] naming --- .../ASI_Agentic_Exploits_Incidents.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 8b615357..a355ec45 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -17,18 +17,18 @@ Similarly, any aspects relating to incident response should be discussed with th | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis
(Vendor / CVE / Discoverer) | |------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| -| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | +| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)
• [Aim Security](https://www.aim.security/post/echoleak-blogpost) | | **GitPublic Issue Repo Hijack – May 2025** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • —
• —
• [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) | -| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| +| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)
• [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)| | **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases)
• —
• [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet) | | **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • —
• —
• [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks) | -| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-8217)
• — | | **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586)
• — | -| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | +| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53770)
• [Eye Security](https://research.eye.security/sharepoint-under-siege) | | **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • —
• —
• [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)| -| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
• [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)
• [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)| | **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
• [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| -| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | +| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| --- From 464120b84007e7e4fa1d98b7b4b5324902171448 Mon Sep 17 00:00:00 2001 From: almogbhl Date: Tue, 30 Sep 2025 18:05:22 +0300 Subject: [PATCH 6/9] added ForcedLeak --- .../ASI_Agentic_Exploits_Incidents.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index a355ec45..8630d451 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -30,5 +30,5 @@ Similarly, any aspects relating to incident response should be discussed with th | **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
• [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| | **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| - +**ForcedLeak (Salesforce Agentforce)** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)
• —
• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) | --- From dcc9ba1bc57c329171831b3958ce6796c35d49d6 Mon Sep 17 00:00:00 2001 From: almogbhl Date: Wed, 1 Oct 2025 12:21:08 +0300 Subject: [PATCH 7/9] Added Agentic AI and Visual Studio Code --- .../ASI_Agentic_Exploits_Incidents.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 8630d451..73d3e87a 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -30,5 +30,6 @@ Similarly, any aspects relating to incident response should be discussed with th | **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —
• —
• [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)| | **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| -**ForcedLeak (Salesforce Agentforce)** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)
• —
• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) | +**ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)
• —
• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) | +**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)
• — --- From 68860867d99f242d6c903f897a93502afbd8a1be Mon Sep 17 00:00:00 2001 From: almogbhl Date: Thu, 2 Oct 2025 10:05:14 +0300 Subject: [PATCH 8/9] added postmark-mcp supply chain attack --- .../ASI_Agentic_Exploits_Incidents.md | 1 + 1 file changed, 1 insertion(+) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index 73d3e87a..ad85146e 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -32,4 +32,5 @@ Similarly, any aspects relating to incident response should be discussed with th | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| **ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)
• —
• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) | **Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)
• — +**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain)
• ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)
• —
• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft) --- From 7217a3912e64f5cecc1e25503bcc3fb00d3c0dfe Mon Sep 17 00:00:00 2001 From: almogbhl Date: Thu, 2 Oct 2025 15:11:33 +0300 Subject: [PATCH 9/9] added google gemini trifecta --- .../ASI_Agentic_Exploits_Incidents.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md index ad85146e..d6ed8646 100644 --- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md +++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md @@ -31,6 +31,7 @@ Similarly, any aspects relating to incident response should be discussed with th | **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319)
• [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) | | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • —
• —
• [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)| **ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)
• —
• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) | -**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)
• — -**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain)
• ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)
• —
• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft) +**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)
• ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)
• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)
• — | +**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation)
• ASI04 (Agentic Supply Chain)
• ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)
• —
• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft) | +| **Google Gemini Trifecta — Sep 2025** | Indirect prompt injection through logs, search history, and browsing context can trick Gemini into exposing sensitive data and carrying out unintended actions across connected Google services. | • ASI01 (Agent Behaviour Hijack)
• ASI02 (Tool Misuse & Exploitation)| • —
• —
• [Tenable](https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing) | ---