New ShadowLeak exploit directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously, from OpenAI servers
Radware, a leading provider of cybersecurity and application delivery solutions, announced the discovery of a previously unknown zero-click vulnerability affecting the ChatGPT Deep Research agent. The flaw, dubbed “ShadowLeak,” allows attackers to exfiltrate sensitive information from users without any clicks, prompts or visible signs of compromise on the network or endpoint.
The vulnerability, which Radware disclosed to OpenAI under responsible disclosure protocols, demonstrates a new class of attack on AI agents as they continue to gain broad enterprise adoption. These fully covert, automated agent exploits bypass traditional security controls. Radware’s Security Research Center (RSRC) successfully demonstrated that an attacker could exploit the vulnerability by simply sending an email to the user. Once the agent interacted with the malicious email, sensitive data was extracted without victims ever viewing, opening or clicking the message.
“This is the quintessential zero-click attack,” said David Aviv, chief technology officer at Radware. “There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.”
With ShadowLeak, Radware researchers Gabi Nakibly, Zvika Babo (co-lead researchers) with contribution from Maor Uziel, discovered the first purely server-side sensitive data leak. Without any user action (zero-click), ChatGPT’s Deep Research agent, executing in the OpenAI cloud, performed the sensitive data exfiltration autonomously from OpenAI servers. Unlike previously disclosed zero-click attacks, ShadowLeak operates independently and leaves no network level evidence, making these threats nearly impossible to detect from the perspective of the ChatGPT business customer.
Also Read: CIO Influence Interview with Dipto Chakravarty, Chief Product and Technology Officer at Black Duck
“Enterprises adopting AI cannot rely on built-in safeguards alone to prevent abuse,” said Pascal Geenens, director of cyber threat intelligence at Radware. “Our research highlights that the combination of AI autonomy, SaaS services and integration with customers’ sensitive data sources introduces an entirely new class of risks. AI-driven workflows can be manipulated in ways not yet anticipated, and these attack vectors often bypass the visibility and detection capabilities of traditional security solutions.”
The research arrives at a pivotal moment for enterprise AI adoption. During an August 2025 CNBC interview, Nick Turley, VP of product for ChatGPT, stated that it has 5 million paying business users on ChatGPT, underscoring the potential scale of exposure. Radware’s findings suggest that enterprises relying solely on vendor mitigations or traditional security tools are leaving themselves exposed to an entirely new class of AI attacks.
For more information review Radware’s latest Threat Advisory and Blog Article: ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent.
Radware Webinar on ShadowLeak
Radware will host a live webinar on October 16, 2025, “ShadowLeak: A Deep Dive into the First Zero-Click, Service-Side Vulnerability in ChatGPT.”
Security leaders and AI developers are invited to attend and explore the anatomy of the ShadowLeak attack, best practices for securing AI agents and the future of responsible AI threat research.
Radware conducts this threat research on behalf of the wider cybersecurity community, ensuring security professionals have the same insights as attackers. The complete research, including technical breakdowns and defense recommendations, will be available at Radware’s SRC following the webinar.
Responsible Disclosure
Radware reported the vulnerability to OpenAI on June 18, 2025, under responsible disclosure protocols. OpenAI acknowledged the issue and notified Radware of the fix on September 3, 2025. Radware commends OpenAI’s collaboration and commitment to ecosystem safety. This discovery reinforces Radware’s commitment to cybersecurity by anticipating threats that traditional tools miss and ensuring AI agents operate within safe, secure and trusted boundaries.
Catch more CIO Insights: Today’s CISO: Navigating AI Risk, Cloud Complexity, and Evolving Threats
[To share your insights with us, please write to psen@itechseries.com ]
