Every Major AI Platform Has Unpatched Exploits That Hijack Agents

The property that makes AI agents useful—they follow instructions—is precisely what makes them dangerous. That's the thesis Michael Bargury, CTO of AI security company Zenity, is bringing to RSA Conference 2026 this week, backed by working exploits against every major enterprise AI platform on the market.

"AI is just gullible," Bargury told The Register ahead of his RSAC presentation, titled "Your AI Agents Are My Minions." "We are trying to shift the mindset from prompt injection—because it is a very technical term—and convince people that this is actually just persuasion. I'm just persuading the AI agent that it should do something else."

That persuasion is the attack class. In the talk, Bargury will demonstrate zero-click exploits against Cursor, Salesforce's Agentforce, ChatGPT, Google Gemini, and Microsoft Copilot. Zero-click means no user interaction required: an attacker plants a malicious prompt somewhere the agent will eventually read—an email, a support ticket, a document, a calendar invite—and waits.

The attacks build on AgentFlayer, research Bargury and his Zenity co-researcher Tamir Ishay Sharbat first presented at Black Hat USA 2025. According to Zenity Labs' press release from that disclosure, they found working exploits in ChatGPT, Copilot Studio, Salesforce Einstein, Gemini, Microsoft 365 Copilot, and Cursor. OpenAI and Microsoft issued patches. Multiple other vendors declined to patch, citing intended functionality—which is a fairly honest description of the problem.

The worked example Bargury plans to demonstrate at RSAC shows the dependency graph clearly. Cursor, the AI-assisted coding tool built on Anthropic's Claude models, connects to Jira via a Model Context Protocol (MCP) integration. MCP—an open protocol from Anthropic for connecting AI assistants to external tools and data sources—allows the agent to read, create, and update Jira tickets directly from the editor. Developers use this to automate ticket handling: emails come in, Cursor reads them, creates tickets, works through them.

Some of those emails come from outside the organization. An attacker can search for endpoints that accept support emails with automatic Jira ticket creation, then send an email with a malicious prompt embedded in the body. Cursor reads the email, interprets the embedded instructions, and acts on them.

The wrinkle is that Cursor has guardrails—it won't exfiltrate secrets on request. So Zenity's team didn't ask it to steal secrets. They told the agent it was participating in a treasure hunt, and that "apples" look exactly like secret files. The agent complied, found the apples, and sent them to a Zenity-controlled endpoint—enabling remote code execution in the process.

This specific attack chain was first published by Invariant Labs (since acquired by Snyk, the developer security company) in May 2025, as Snyk Labs documented. Zenity published independently in August 2025. Cursor's response to responsible disclosure: this is a known issue. That's accurate. The issue is architectural.

Developer and researcher Simon Willison put a framework around it in his August 2025 analysis of the Cursor+Jira attack, identifying what he calls the lethal trifecta: access to private data, exposure to untrusted content, and the ability to exfiltrate. Any agent that satisfies all three conditions is exploitable via indirect prompt injection. Most enterprise agents do.

MCP is scaling the attack surface faster than the security layer is catching up. Palo Alto Networks' Unit 42 team published an analysis in December 2025 identifying how MCP's sampling feature—which allows servers to request that the model perform inference on their behalf—inverts the trust model. Under normal MCP, the client calls tools. Under sampling, the server calls back into the model. The result is three new attack vectors: resource theft, conversation hijacking, and covert tool invocation. The model treats these sampling requests as trusted instructions from a server it's already been given permission to connect to.

Zenity Labs' technical writeup on the ChatGPT Connectors attack chain shows how far this extends. In that attack, a malicious prompt embedded in an uploaded document using invisible 1-pixel white text combines with an image URL that exfiltrates Google Drive data. The agent renders the document, reads the hidden instruction, and leaks data to an attacker-controlled server—all while the user sees a normal-looking file. The attack is generic: any agent that renders uploaded documents and can make outbound requests is potentially vulnerable.

It isn't limited to document handling or tool integrations either. PromptArmor researchers found in February 2026 that AI agents spill secrets just by previewing malicious links, as The Register reported—with Microsoft Teams paired with Copilot Studio as the largest offender, alongside Discord with OpenClaw agents and Slack with Cursor's Slackbot. And earlier this month, The Register covered Zenity's disclosure of a Perplexity Comet browser vulnerability: a calendar invite written in Hebrew—bypassing English-language guardrails—with many newlines to hide malicious content from the UI, enabling local file system access and 1Password vault takeover. Patched in February 2026.

The most significant detail in Bargury's Register interview is the one buried toward the end: the honeypots. Zenity runs a global network of honeypots disguised as enterprise AI agents, and those honeypots are already capturing prompt-level attack probes from real adversaries—not port scans or credential stuffing, but prompts designed to identify what model is running or co-opt the agent for the attacker's purposes.

"These are not just network-level requests," Bargury said. "They will send out a prompt to try to either use your system for their purposes, or try to understand what model you're hosting. So it's already happening."

That moves this from research that could be exploited to an active attack class in the wild. Reconnaissance is under way.

Bargury's prescription is hard boundaries: deterministic limitations enforced at the code level, before the model's reasoning runs. "If you just ask the AI really nicely not to do something—that's not a boundary," he said. "You need to put software around it that actually limits its capabilities." The concrete example: if an agent reads sensitive data, a hard boundary prevents it from transmitting that data outside the organization, regardless of what the model's reasoning concludes about whether it should. The boundary isn't a policy prompt—it's a code-level constraint that runs before the LLM gets a say.

That's a prescription aimed at builders. For users, the advice is harder and less satisfying: stop fully trusting the trusted advisor. An agent that follows instructions compliantly will follow the wrong instructions compliantly.

One thing worth flagging: Zenity has raised over $55 million total, including a $38 million Series B in October 2024 co-led by Third Point Ventures and DTCP, with Microsoft M12, Intel Capital, and Vertex Ventures Israel among earlier investors. They sell agent security platforms. Their commercial interest in dramatizing the threat they offer protection against is real, and worth holding in mind when reading Zenity research. But working exploits—published, independently reproduced, and already appearing in honeypot logs—make their own argument. The research predates the Series B. The honeypot data doesn't need a press release.

The RSAC talk is Monday. The research isn't new. What's new is that deployment has outrun the security layer by enough that attackers have started probing without waiting for the conference to end.