Agentic AI System Vulnerabilities Surface
Key Questions
What is EchoLeak and why was it patched by Microsoft?
EchoLeak is a zero-click prompt injection vulnerability in M365 Copilot rated CVSS 9.3. Microsoft issued a patch to address this critical flaw in its agentic AI system.
What is Chain-of-Thought Spoofing and how effective is it?
Chain-of-Thought Spoofing, or CoT Forgery, allows attackers to inject fabricated reasoning that LLMs mistake for their own internal thoughts. An ICML 2026 paper showed it achieves 56-80% success across six frontier models by exploiting style prioritization over metadata.
How can organizations secure the Model Context Protocol (MCP) against attacks?
Six containment methods address risks like tool poisoning, prompt injection, SSRF, and IDE compromise in MCP implementations. These steps help mitigate emerging threats in agentic AI environments.
What does the RAND study reveal about Claude Code's offensive potential?
The RAND study found that Claude Code enables novices to solve capture-the-flag challenges, demonstrating agentic AI's ability to automate offensive tasks. This highlights growing risks as such tools lower barriers for attackers.
What warning did Kevin Mandia issue about agentic AI at RSA 2026?
Kevin Mandia described a 'perfect storm for offense' as agentic AI automates the full kill chain. This reflects broader trends where prompt injection and related attacks are rising while existing defenses like OWASP Top 10 become outdated.
Microsoft patches EchoLeak (CVSS 9.3) zero-click prompt injection in M365 Copilot. POISE attack on LLM agents. NVIDIA SkillSpector. Multi-agency guidance. Claude Code sandbox escape. MCP risk containment: 6 ways to secure Model Context Protocol (tool poisoning, prompt injection, SSRF, IDE compromise). Orca Security: 80% of apps embedding AI agents. Cisco expands agentic security portfolio. Google Gemini 3.5 Flash gains native computer use with adversarial prompt injection training. RAND study shows Claude Code enables novices to solve CTFs, highlighting agentic offensive potential. VibeSecCon 2026: prompt injection rising, OWASP Top 10 outdated. New threshold MCP poisoning attack using Shamir's Secret Sharing achieves 90%+ success rate, evading detection. Autonomous security trend: shift from AI copilot to autonomous investigator with graduated authority. Kevin Mandia at RSA 2026 warns of 'perfect storm for offense' as agentic AI automates kill chain. GPTFuzz automated jailbreak fuzzing achieves >90% ASR on GPT-4, demonstrating filter brittleness. New article maps Sandworm's ICS attack methodology to AI infrastructure, identifying four attack classes (targeting training data, model weights, inference pipelines, orchestration layers) with defensive countermeasures. New: Chain-of-Thought Spoofing (CoT Forgery) exploits LLMs' tendency to prioritize writing style over metadata tags, allowing spoofed internal reasoning to be injected. New twist on prompt injection targeting reasoning chains. New: Article on confidence without visibility highlights reasoning compromise attacks and AIBOM, reinforcing need for continuous discovery. New: ICML 2026 paper confirms CoT Forgery achieves 56-80% success across six frontier LLMs, bypassing safety training. New: AI browsers (e.g., ChatGPT Atlas) break same-origin policy, enabling prompt injection and memory poisoning; UW research confirms critical flaw in production tools.