LoginGet a Demo

AgentFlayer: 0Click Exploit Methods

Zenity Labs’ latest research exposes how attackers can compromise these AI agents through 0click (no user interaction) exploits. The results? Unauthorized access, data exfiltration, memory manipulation, and even control of conversations.

Hero image

Continue the Conversation at the AI Agent Security Summit 2025

Join leading researchers, CISOs, and security engineers as we go deeper into the vulnerabilities uncovered in this research. Hear exclusive insights, live demos, and actionable defense strategies.

October 8 | Commonwealth Club | San Francisco

Reserve Your Spot Now
Feature media

AI Agents: Powerful, Pervasive, and Dangerously Vulnerable

Our findings demonstrate full attack chains against the most popular enterprise AI platforms, including ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, and others. In each case, “attackers” were able to breach organizational boundaries using the agents’ own capabilities - without any user action in several scenarios.

Assess Your AI Risk Today

Enterprise Platforms. Real-world Attacks. Zero User Protection.

Zenity Labs’ investigated how major AI agents fare against active exploitation. Here are the highlights

ChatGPT

Attack simulation allowed for the hijacking of ChatGPT sessions using just an email address. Once compromised, they gain access to Google Drive, manipulate memory, and exfiltrate sensitive data - all without user input.

Microsoft Copilot Studio

Attacks included extraction of CRM data and tool misuse by triggering malicious agent behavior remotely.

Cursor + Jira

Automated Jira ticket systems (integrated with Cursor) as they can use the inputs to compromise developer environments and extract credentials.

Salesforce Einstein

Compromised support cases can allow attackers to hijack sessions and reroute all customer communications through malicious email addresses creating full CRM compromise.

Google Gemini

Agent responses can be manipulated by embedding malicious prompts in emails or calendar invites. Once engaged, Gemini acts as a deceptive insider, misguiding users with false financial data or phishing attempts.

Microsoft 365 Copilot

Teams messages and invisible prompt injections in shared docs allow attackers to hijack Copilot behavior, exfiltrate past chats, and impersonate trusted insiders.

Secure Your Agents

We’d love to chat with you about how your team can secure
and govern AI Agents everywhere.

Get a Demo