Back
EchoLeak exploit (CVE-2025-32711)
webunit42.paloaltonetworks.com·unit42.paloaltonetworks.com/agentic-ai-threats/
A Unit 42 security research disclosure detailing a concrete agentic AI exploit; highly relevant for practitioners building or auditing AI agent systems that interact with external tools and data sources.
Metadata
Importance: 62/100blog postanalysis
Summary
Unit 42 (Palo Alto Networks) analyzes EchoLeak (CVE-2025-32711), a vulnerability in agentic AI systems that allows adversarial prompt injection via tool/function calls and API integrations, enabling data exfiltration and unauthorized actions. The research demonstrates how multi-step AI agents can be compromised through malicious content in external data sources, highlighting systemic risks in agentic architectures. It serves as a concrete case study in real-world AI security vulnerabilities.
Key Points
- •CVE-2025-32711 (EchoLeak) exploits prompt injection in agentic AI pipelines where AI agents process untrusted external content via function calls and API integrations.
- •Attackers can embed malicious instructions in documents or web content that AI agents retrieve, causing the agent to exfiltrate data or perform unauthorized actions.
- •The vulnerability demonstrates how agentic systems that chain multiple tool calls are especially susceptible to indirect prompt injection attacks.
- •The research underscores that current AI agent frameworks lack robust input sanitization and trust boundary enforcement between internal and external data.
- •Mitigations include output filtering, strict tool-use policies, sandboxing agent actions, and treating all external content as untrusted input.
Cited by 3 pages
| Page | Type | Quality |
|---|---|---|
| Tool Use and Computer Use | Capability | 67.0 |
| Sandboxing / Containment | Approach | 91.0 |
| Tool-Use Restrictions | Approach | 91.0 |
Cached Content Preview
HTTP 200Fetched Mar 20, 202697 KB
[palo alto networks](https://www.paloaltonetworks.com/unit42)
Search
All
- [Tech Docs](https://docs.paloaltonetworks.com/search#q=unit%2042&sort=relevancy&layout=card&numberOfResults=25)
Close search modal
- [Threat Research Center](https://unit42.paloaltonetworks.com/ "Threat Research")
- [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/ "Threat Research")
- [Malware](https://unit42.paloaltonetworks.com/category/malware/ "Malware")
[Malware](https://unit42.paloaltonetworks.com/category/malware/)
# AI Agents Are Here. So Are the Threats.
 21 min read
Related Products
[Prisma SASE](https://unit42.paloaltonetworks.com/product-category/prisma-sase/ "Prisma SASE") [Secure Access Service Edge (SASE)](https://unit42.paloaltonetworks.com/product-category/secure-access-service-edge/ "Secure Access Service Edge (SASE)") [Unit 42 AI Security Assessment](https://unit42.paloaltonetworks.com/product-category/ai-security-assessment/ "Unit 42 AI Security Assessment") [Unit 42 Incident Response](https://unit42.paloaltonetworks.com/product-category/unit-42-incident-response/ "Unit 42 Incident Response")
- 
By:
- [Jay Chen](https://unit42.paloaltonetworks.com/author/jaychenpaloaltonetworks-com/)
- [Royce Lu](https://unit42.paloaltonetworks.com/author/royce-lu/)
- 
Published:May 1, 2025
- 
Categories:
- [Malware](https://unit42.paloaltonetworks.com/category/malware/)
- [Threat Research](https://unit42.paloaltonetworks.com/category/threat-research/)
- 
Tags:
- [Agentic AI](https://unit42.paloaltonetworks.com/tag/agentic-ai/)
- [AI](https://unit42.paloaltonetworks.com/tag/ai/)
- [BOLA](https://unit42.paloaltonetworks.com/tag/bola/)
- [GenAI](https://unit42.paloaltonetworks.com/tag/genai/)
- [Prompt injection](https://unit42.paloaltonetworks.com/tag/prompt-injection/)
- [Resource ID:
d6f4face14780e85 | Stable ID: MTkwZmI4Zm