Radware Exposes Critical ChatGPT Zero-Click Vulnerability
▼ Summary
– Radware discovered “ShadowLeak,” a zero-click vulnerability in ChatGPT’s Deep Research agent that allows attackers to exfiltrate sensitive information without any user interaction.
– The attack is fully covert, requiring only that a malicious email be sent to a user, as the agent autonomously interacts with the message and leaks data from OpenAI’s cloud servers.
– This vulnerability represents a new class of server-side AI agent attacks that bypass traditional security controls and leave no network-level evidence, making detection extremely difficult.
– The research highlights that AI autonomy combined with SaaS services creates unforeseen risks, as these attack vectors often evade the detection capabilities of conventional security tools.
– Radware responsibly disclosed the flaw to OpenAI, which has since fixed it, and the company will host a webinar to detail the attack and provide defense recommendations.
Cybersecurity firm Radware has identified a significant security flaw within the ChatGPT Deep Research agent, a vulnerability that enables the extraction of sensitive information without requiring any interaction from the user. This newly discovered threat, named “ShadowLeak,” represents a serious advancement in attack methodology, as it operates with complete autonomy on OpenAI’s cloud servers. The exploit requires no clicks, prompts, or any other visible indicators, making traditional network and endpoint security measures ineffective against it.
The vulnerability was demonstrated by Radware’s Security Research Center, which showed that an attacker could initiate a data breach simply by sending an email to a target. The ChatGPT agent, acting on its own, would process the malicious email and exfiltrate data without the victim ever opening or even seeing the message. This marks a critical evolution in cyber threats, moving beyond attacks that rely on user error to those that leverage the autonomous nature of AI agents themselves.
David Aviv, Radware’s chief technology officer, described the exploit as the definitive zero-click attack. He emphasized that the entire process is invisible to the user, with all malicious activity occurring covertly on OpenAI’s infrastructure. The research team, including Gabi Nakibly and Zvika Babo, identified this as the first purely server-side data leak, a method that leaves no traceable evidence on the customer’s network.
Pascal Geenens, Radware’s director of cyber threat intelligence, warned that enterprises integrating AI into their workflows face a new category of risk. The combination of AI autonomy, software-as-a-service delivery models, and access to sensitive corporate data creates attack vectors that conventional security tools are ill-equipped to handle. This research arrives as businesses rapidly adopt AI technologies, with ChatGPT reportedly serving millions of paying business customers, highlighting the widespread potential impact.
To address these findings, Radware will host a detailed webinar on October 16, 2025, offering security leaders and developers an in-depth analysis of the ShadowLeak vulnerability. The session will cover the technical mechanics of the attack and propose best practices for securing AI agents against similar threats. Following the webinar, Radware will publish its complete technical research and defensive recommendations.
The vulnerability was responsibly disclosed to OpenAI in June 2025, and a fix was confirmed by early September. Radware has acknowledged OpenAI’s cooperative approach in resolving the issue. This discovery underscores the critical need for ongoing, proactive security research as AI systems become more deeply embedded in enterprise operations, ensuring these powerful tools can be used safely and securely.
(Source: ITWire Australia)
