Analysis

A critical-rated (CVSS 9.3) zero-click AI vulnerability, EchoLeak (CVE-2025-32711), was identified in Microsoft 365 Copilot, allowing potential unauthorized data exfiltration without user interaction. Microsoft (MSFT) has addressed this vulnerability, which involved an LLM Scope Violation leading to indirect prompt injection, prior to any known malicious exploitation. The attack, discovered by Aim Security, could leverage Copilot's retrieval-augmented generation (RAG) engine to leak sensitive data via embedded prompts in content like emails. This specific vulnerability underscores broader security challenges in AI, as further evidenced by CyberArk's (CYBR) disclosure of tool poisoning attacks (TPA) and Full-Schema Poisoning (FSP) targeting the Model Context Protocol (MCP). These MCP vulnerabilities exploit the protocol's trust model, potentially allowing attackers to manipulate AI agents into accessing sensitive information by poisoning tool schemas. The article also highlights risks within the MCP client-server architecture, such as a flaw in a GitHub MCP integration enabling agent hijacking, and MCP rebinding attacks that exploit Server-Sent Events (SSE) for DNS rebinding to access internal MCP servers, although SSE was deprecated in November 2024 due to such risks. These findings collectively point to an evolving threat landscape where the increasing autonomy and connectivity of AI agents create new, complex security blind spots that require robust mitigation strategies beyond simple patches, including granular permission controls and continuous auditing. The overall sentiment surrounding these disclosures is moderately negative, particularly for Microsoft, though CyberArk's role in uncovering vulnerabilities could be perceived positively for its expertise.