Radware Uncovers First Zero-Click, Service-Side Vulnerability in ChatGPT
Radware (NASDAQ: RDWR) has discovered a critical security vulnerability named "ShadowLeak" in ChatGPT's Deep Research agent. This zero-click vulnerability enables attackers to extract sensitive data from OpenAI servers without any user interaction or visible signs of compromise.
The vulnerability, discovered by Radware's Security Research Center researchers Gabi Nakibly and Zvika Babo, can be triggered simply by sending an email to a user. Once the agent processes the malicious email, data exfiltration occurs automatically on OpenAI's servers, bypassing traditional security controls.
Radware responsibly disclosed the vulnerability to OpenAI on June 18, 2025, and a fix was implemented by September 3, 2025. The company will host a detailed webinar on October 16, 2025, to discuss the implications and defense strategies for this new class of AI-driven security threats.
Radware (NASDAQ: RDWR) ha scoperto una vulnerabilità di sicurezza critica denominata «ShadowLeak» nell'agente Deep Research di ChatGPT. Questa vulnerabilità senza clic consente agli attaccanti di estrarre dati sensibili dai server OpenAI senza alcuna interazione da parte dell'utente o segnali visibili di compromissione.
La vulnerabilità, scoperta dai ricercatori del Radware Security Research Center, Gabi Nakibly e Zvika Babo, può essere attivata semplicemente inviando un'email a un utente. Una volta che l'agente elabora l'email dannosa, l'esfiltrazione dei dati avviene automaticamente sui server di OpenAI, aggirando i controlli di sicurezza tradizionali.
Radware ha divulgato responsabilmente la vulnerabilità a OpenAI il 18 giugno 2025, e una correzione è stata implementata entro il 3 settembre 2025. L'azienda terrà un webinar dettagliato il 16 ottobre 2025 per discutere le implicazioni e le strategie di difesa per questa nuova classe di minacce di sicurezza guidate dall'IA.
Radware (NASDAQ: RDWR) ha descubierto una vulnerabilidad de seguridad crítica denominada «ShadowLeak» en el agente Deep Research de ChatGPT. Esta vulnerabilidad de cero-click permite a los atacantes extraer datos sensibles de los servidores de OpenAI sin ninguna interacción del usuario o señales visibles de compromiso.
La vulnerabilidad, descubierta por los investigadores del Security Research Center de Radware, Gabi Nakibly y Zvika Babo, puede activarse simplemente enviando un correo electrónico a un usuario. Una vez que el agente procesa el correo malicioso, la exfiltración de datos ocurre automáticamente en los servidores de OpenAI, eludiendo controles de seguridad tradicionales.
Radware divulgó responsablemente la vulnerabilidad a OpenAI el 18 de junio de 2025, y se implementó una solución para el 3 de septiembre de 2025. La empresa conducirá un seminario web detallado el 16 de octubre de 2025 para discutir las implicaciones y estrategias de defensa ante esta nueva clase de amenazas de seguridad impulsadas por IA.
Radware (NASDAQ: RDWR)가 ChatGPT의 Deep Research 에이전트에서 «ShadowLeak»이라는 심각한 보안 취약점을 발견했습니다. 이 제로 클릭 취약점을 통해 공격자는 사용자의 상호작용이나 눈에 보이는 침해 흔적 없이 OpenAI 서버에서 민감한 데이터를 추출할 수 있습니다.
해당 취약점은 Radware 보안 연구 센터의 연구원 가비 나키블리 및 즈비아 바보에 의해 발견되었으며, 사용자의 이메일을 한 통 보내는 것만으로도 작동합니다. 악의적인 이메일을 에이전트가 처리하면 데이터 탈취가 OpenAI의 서버에서 자동으로 발생하고 전통적인 보안 제어를 우회합니다.
Radware는 2025년 6월 18일 OpenAI에 책임 있게 이 취약점을 공개했고, 2025년 9월 3일까지 수정이 적용되었습니다. 회사는 2025년 10월 16일에 이 새로운 AI 주도 보안 위협의 영향과 방어 전략을 논의하는 자세한 웨비나를 개최할 예정입니다.
Radware (NASDAQ: RDWR) a découvert une vulnérabilité de sécurité critique nommée « ShadowLeak » dans l’agent Deep Research de ChatGPT. Cette vulnérabilité sans interaction nécessite aucune action de l’utilisateur et permet à des attaquants d’extraire des données sensibles des serveurs OpenAI sans signes visibles de compromission.
La vulnérabilité, découverte par les chercheurs du Security Research Center de Radware, Gabi Nakibly et Zvika Babo, peut être déclenchée simplement en envoyant un e-mail à un utilisateur. Une fois que l’agent traite l’e-mail malveillant, l’exfiltration des données se produit automatiquement sur les serveurs d’OpenAI, contournant les contrôles de sécurité traditionnels.
Radware a divulgué la vulnérabilité de manière responsable à OpenAI le 18 juin 2025, et une correction a été mise en place le 3 septembre 2025. L’entreprise organisera un webinaire détaillé le 16 octobre 2025 pour discuter des implications et des stratégies de défense face à cette nouvelle catégorie de menaces de sécurité pilotées par l’IA.
Radware (NASDAQ: RDWR) hat eine kritische Sicherheitslücke namens „ShadowLeak“ im Deep-Research-Agenten von ChatGPT entdeckt. Diese Zero-Click-Schwachstelle ermöglicht es Angreifern, sensible Daten von OpenAI-Servern zu extrahieren, ohne jegliche Benutzerinteraktion oder sichtbare Anzeichen einer Kompromittierung.
Die Schwachstelle wurde von den Forschern des Radware Security Research Center, Gabi Nakibly und Zvika Babo, entdeckt und kann einfach ausgelöst werden, indem man einem Benutzer eine E-Mail sendet. Sobald der Agent die bösartige E-Mail verarbeitet, erfolgt die Datenexfiltration automatisch auf den Servern von OpenAI und umgeht traditionelle Sicherheitskontrollen.
Radware hat die Schwachstelle verantwortungsvoll am 18. Juni 2025 OpenAI gemeldet, und eine Behebung wurde bis zum 3. September 2025 implementiert. Das Unternehmen wird am 16. Oktober 2025 ein detailliertes Webinar abhalten, um die Auswirkungen und Abwehrstrategien für diese neue Klasse KI-gesteuerter Sicherheitsbedrohungen zu diskutieren.
Radware (NASDAQ: RDWR) اكتشفت ثغرة أمنية حرجة تسمّى «ShadowLeak» في وكيل Deep Research الخاص بـ ChatGPT. هذه الثغرة من دون نقرة تتيح للمهاجمين استخراج بيانات حساسة من خوادم OpenAI دون أي تفاعل من المستخدم أو علامات اختراق ظاهرة.
تم اكتشاف الثغرة من قِبل باحثي مركز أبحاث الأمن في Radware، جيبي ناكبلوِي وزفييا بابو، ويمكن تفعيلها ببساطة عن طريق إرسال بريد إلكتروني إلى مستخدم. بمجرد أن يعالج الوكيل البريد الإلكتروني الخبيث، تحدث عمليّة تسريب البيانات تلقائياً على خوادم OpenAI، متجاوزةً ضوابط الأمن التقليدية.
أبلغت Radware OpenAI عن الثغرة بشكل مسؤول في 18 يونيو 2025، وتم تطبيق الإصلاح بحلول 3 سبتمبر 2025. ستستضيف الشركة ندوتها عبر الويب في 16 أكتوبر 2025 لمناقشة التداعيات واستراتيجيات الدفاع ضد هذه الفئة الجديدة من التهديدات الأمنية المعتمدة على الذكاء الاصطناعي.
Radware(纳斯达克股票代码:RDWR) 在 ChatGPT 的 Deep Research 代理中发现了一项名为 “ShadowLeak” 的关键安全漏洞。该零点击漏洞使攻击者在无需任何用户交互或可见的妥协迹象的情况下,从 OpenAI 服务器提取敏感数据。
该漏洞由 Radware 安全研究中心的研究员 Gabi Nakibly 和 Zvika Babo 发现,可以仅通过向用户发送电子邮件来触发。一旦代理处理了恶意电子邮件,数据窃取就会在 OpenAI 的服务器上自动发生,绕过传统的安全控制。
Radware 于 2025 年 6 月 18 日负责任地向 OpenAI 披露了这一漏洞,并于 2025 年 9 月 3 日实现了修复。公司将于 2025 年 10 月 16 日举办一个详细的网络研讨会,讨论这类由 AI 驱动的新型安全威胁的影响及防御策略。
- First identification of a novel class of AI security threats, positioning Radware as a leader in AI security research
- Successful responsible disclosure process with OpenAI, demonstrating strong industry collaboration
- Discovery affects 5 million ChatGPT business users, highlighting the significant market impact of the research
- Reveals critical security vulnerabilities in widely-adopted AI systems
- Traditional security tools proven ineffective against this new class of threats
- Exposes potential risks for enterprises relying on AI-driven workflows
Insights
Radware's discovery of the ShadowLeak vulnerability demonstrates their leadership in AI security and enhances their market position in next-generation threat detection.
Radware's discovery of the "ShadowLeak" vulnerability represents a significant advancement in cybersecurity research that substantially strengthens the company's market position. This zero-click vulnerability in ChatGPT's Deep Research agent operates entirely server-side, making it virtually undetectable through conventional security measures. The attack requires no user interaction whatsoever - no clicks, no prompts, and leaves no visible evidence of compromise.
The technical significance cannot be overstated. This discovery introduces an entirely new class of AI security vulnerabilities where autonomous agents can be manipulated to exfiltrate sensitive data directly from cloud servers without leaving network-level evidence. For context, traditional zero-click attacks still typically leave some network traces, but ShadowLeak operates completely behind the scenes through the AI agent itself.
What makes this particularly valuable for Radware is the timing - with 5 million business users on ChatGPT (according to ChatGPT's VP of product), the company has positioned itself at the forefront of an emerging and critical security domain. The research demonstrates Radware's capabilities precisely when enterprises are rapidly adopting AI agents, creating substantial market differentiation against competitors.
The responsible disclosure timeline (June to September 2025) and OpenAI's acknowledgment further validates the legitimacy of Radware's research. By following proper disclosure protocols and planning educational initiatives like the upcoming webinar, Radware is leveraging this discovery not just technically but strategically - establishing thought leadership in AI security when enterprise customers are most concerned about these emerging risks.
New ShadowLeak exploit directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously, from OpenAI servers
MAHWAH, N.J., Sept. 18, 2025 (GLOBE NEWSWIRE) -- Radware® (NASDAQ: RDWR), a leading provider of cybersecurity and application delivery solutions, today announced the discovery of a previously unknown zero-click vulnerability affecting the ChatGPT Deep Research agent. The flaw, dubbed “ShadowLeak,” allows attackers to exfiltrate sensitive information from users without any clicks, prompts or visible signs of compromise on the network or endpoint.
The vulnerability, which Radware disclosed to OpenAI under responsible disclosure protocols, demonstrates a new class of attack on AI agents as they continue to gain broad enterprise adoption. These fully covert, automated agent exploits bypass traditional security controls. Radware’s Security Research Center (RSRC) successfully demonstrated that an attacker could exploit the vulnerability by simply sending an email to the user. Once the agent interacted with the malicious email, sensitive data was extracted without victims ever viewing, opening or clicking the message.
“This is the quintessential zero-click attack,” said David Aviv, chief technology officer at Radware. “There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.”
With ShadowLeak, Radware researchers Gabi Nakibly, Zvika Babo (co-lead researchers) with contribution from Maor Uziel, discovered the first purely server-side sensitive data leak. Without any user action (zero-click), ChatGPT’s Deep Research agent, executing in the OpenAI cloud, performed the sensitive data exfiltration autonomously from OpenAI servers. Unlike previously disclosed zero-click attacks, ShadowLeak operates independently and leaves no network level evidence, making these threats nearly impossible to detect from the perspective of the ChatGPT business customer.
“Enterprises adopting AI cannot rely on built-in safeguards alone to prevent abuse,” said Pascal Geenens, director of cyber threat intelligence at Radware. “Our research highlights that the combination of AI autonomy, SaaS services and integration with customers’ sensitive data sources introduces an entirely new class of risks. AI-driven workflows can be manipulated in ways not yet anticipated, and these attack vectors often bypass the visibility and detection capabilities of traditional security solutions.”
The research arrives at a pivotal moment for enterprise AI adoption. During an August 2025 CNBC interview, Nick Turley, VP of product for ChatGPT, stated that it has 5 million paying business users on ChatGPT, underscoring the potential scale of exposure. Radware’s findings suggest that enterprises relying solely on vendor mitigations or traditional security tools are leaving themselves exposed to an entirely new class of AI attacks.
For more information review Radware’s latest Threat Advisory and Blog Article: ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent.
Radware Webinar on ShadowLeak
Radware will host a live webinar on October 16, 2025, “ShadowLeak: A Deep Dive into the First Zero-Click, Service-Side Vulnerability in ChatGPT.”
Security leaders and AI developers are invited to attend and explore the anatomy of the ShadowLeak attack, best practices for securing AI agents and the future of responsible AI threat research.
Radware conducts this threat research on behalf of the wider cybersecurity community, ensuring security professionals have the same insights as attackers. The complete research, including technical breakdowns and defense recommendations, will be available at Radware’s SRC following the webinar.
Responsible Disclosure
Radware reported the vulnerability to OpenAI on June 18, 2025, under responsible disclosure protocols. OpenAI acknowledged the issue and notified Radware of the fix on September 3, 2025. Radware commends OpenAI’s collaboration and commitment to ecosystem safety. This discovery reinforces Radware’s commitment to cybersecurity by anticipating threats that traditional tools miss and ensuring AI agents operate within safe, secure and trusted boundaries.
About Radware Security Research Center
Radware Security Research Center (RSRC) is the threat research arm of Radware, dedicated to uncovering and responsibly disclosing vulnerabilities in traditional web applications and emerging AI systems. Through leading-edge research and real-world attack simulations, the center helps organizations understand and defend against zero-day and zero-click threats. Visit RSRC to learn more and download the latest Internet of Agents threat research.
About Radware
Radware® (NASDAQ: RDWR) is a global leader in application security and delivery solutions for multi-cloud environments. The company’s cloud application, infrastructure, and API security solutions use AI-driven algorithms for precise, hands-free, real-time protection from the most sophisticated web, application, DDoS attacks, API abuse, and bad bots. Enterprises and carriers worldwide rely on Radware’s solutions to address evolving cybersecurity challenges and protect their brands and business operations while reducing costs. For more information, please visit the Radware website.
Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, X, and YouTube.
©2025 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.
Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.
The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.
Safe Harbor Statement
This press release includes “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Any statements made herein that are not statements of historical fact, including statements about Radware’s plans, outlook, beliefs, or opinions, are forward-looking statements. Generally, forward-looking statements may be identified by words such as “believes,” “expects,” “anticipates,” “intends,” “estimates,” “plans,” and similar expressions or future or conditional verbs such as “will,” “should,” “would,” “may,” and “could.” For example, when we say in this press release that findings suggest that enterprises relying solely on vendor mitigations or traditional security tools are leaving themselves exposed to an entirely new class of attacks, we are using forward-looking statements. Because such statements deal with future events, they are subject to various risks and uncertainties, and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware’s current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions, including as a result of the state of war declared in Israel in October 2023 and instability in the Middle East, the war in Ukraine, tensions between China and Taiwan, financial and credit market fluctuations (including elevated interest rates), impacts from tariffs or other trade restrictions, inflation, and the potential for regional or global recessions; our dependence on independent distributors to sell our products; our ability to manage our anticipated growth effectively; our business may be affected by sanctions, export controls, and similar measures, targeting Russia and other countries and territories, as well as other responses to Russia’s military conflict in Ukraine, including indefinite suspension of operations in Russia and dealings with Russian entities by many multi-national businesses across a variety of industries; the ability of vendors to provide our hardware platforms and components for the manufacture of our products; our ability to attract, train, and retain highly qualified personnel; intense competition in the market for cybersecurity and application delivery solutions and in our industry in general, and changes in the competitive landscape; our ability to develop new solutions and enhance existing solutions; the impact to our reputation and business in the event of real or perceived shortcomings, defects, or vulnerabilities in our solutions, if our end-users experience security breaches, or if our information technology systems and data, or those of our service providers and other contractors, are compromised by cyber-attackers or other malicious actors or by a critical system failure; our use of AI technologies that present regulatory, litigation, and reputational risks; risks related to the fact that our products must interoperate with operating systems, software applications and hardware that are developed by others; outages, interruptions, or delays in hosting services; the risks associated with our global operations, such as difficulties and costs of staffing and managing foreign operations, compliance costs arising from host country laws or regulations, partial or total expropriation, export duties and quotas, local tax exposure, economic or political instability, including as a result of insurrection, war, natural disasters, and major environmental, climate, or public health concerns; our net losses in the past and the possibility that we may incur losses in the future; a slowdown in the growth of the cybersecurity and application delivery solutions market or in the development of the market for our cloud-based solutions; long sales cycles for our solutions; risks and uncertainties relating to acquisitions or other investments; risks associated with doing business in countries with a history of corruption or with foreign governments; changes in foreign currency exchange rates; risks associated with undetected defects or errors in our products; our ability to protect our proprietary technology; intellectual property infringement claims made by third parties; laws, regulations, and industry standards affecting our business; compliance with open source and third-party licenses; complications with the design or implementation of our new enterprise resource planning (“ERP”) system; our reliance on information technology systems; our ESG disclosures and initiatives; and other factors and risks over which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, refer to Radware’s Annual Report on Form 20-F, filed with the Securities and Exchange Commission (SEC), and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the SEC’s website at www.sec.gov or may be obtained on Radware’s website at www.radware.com.
Media Contacts:
Elyse Familant
ResultsPR
elysef@resultspr.net
Gina Sorice
Radware
GinaSo@radware.com
FAQ
What is the ShadowLeak vulnerability discovered by Radware in ChatGPT?
How does the ShadowLeak vulnerability in ChatGPT (RDWR discovery) work?
When did Radware (RDWR) discover and report the ChatGPT vulnerability?
How many ChatGPT business users are potentially affected by the ShadowLeak vulnerability?
When is Radware's webinar about the ChatGPT ShadowLeak vulnerability?
