Radware Unveils “ZombieAgent”: A Newly Discovered Zero-Click, AI Agent Vulnerability Enabling Silent Takeover and Cloud-Based Data Exfiltration

Rhea-AI Summary

Radware (NASDAQ: RDWR) disclosed ZombieAgent, a zero-click indirect prompt injection vulnerability targeting OpenAI’s Deep Research agent that can implant persistent rules in an agent’s long-term memory to exfiltrate data from the cloud and autonomously propagate across contacts.

The flaw executes in OpenAI’s cloud (not user endpoints), evades endpoint and network controls, and can enable worm-like spread from a single malicious email. Radware disclosed the issue to OpenAI and will publish full technical research after a January 20, 2026 webinar.

Positive

• Radware disclosed the vulnerability to OpenAI under responsible disclosure
• Full technical research and defenses will be published after webinar

Negative

• Zero-click exfiltration occurs inside OpenAI cloud, not endpoints
• Malicious rules implant into agent long-term memory enabling persistence
• Can silently propagate across contacts, enabling worm-like campaigns
• Bypasses secure web gateways, EDR, and traditional network controls

News Market Reaction

-1.39%

1 alert

-1.39% News Effect

On the day this news was published, RDWR declined 1.39%, reflecting a mild negative market reaction.

Data tracked by StockTitan Argus on the day of publication.

Key Figures

Publication date: Jan 08, 2026 Webinar date: Jan 20, 2026

2 metrics

Publication date Jan 08, 2026 News release date for ZombieAgent disclosure

Webinar date Jan 20, 2026 Scheduled Radware webinar on ZombieAgent vulnerabilities

Market Reality Check

Price: $23.77 Vol: Volume 169,199 is about 0...

low vol

$23.77 Last Close

Volume Volume 169,199 is about 0.52x the 20-day average 322,549, indicating subdued trading ahead of this AI security disclosure. low

Technical Shares at $24.40 are trading slightly below the 200-day MA ($24.85) and about 22.7% under the 52-week high.

Peers on Argus

RDWR was up 1.46% with mixed moves across close software/security peers: RPD gai...

RDWR was up 1.46% with mixed moves across close software/security peers: RPD gained 1.81%, while ATEN and YEXT slipped and VRNT was nearly flat. No peers appeared in the momentum scanner and no same-day peer headlines were recorded, suggesting this AI vulnerability research read more as company-specific than part of a sector-wide move.

Historical Context

5 past events · Latest: Jan 06 (Positive)

Pattern 5 events

Date	Event	Sentiment	Move	Catalyst
Jan 06	Cloud capacity expansion	Positive	-0.5%	Doubled global cloud security mitigation capacity to 30 Tbps.
Dec 23	AGM voting results	Neutral	-0.5%	Most AGM proposals passed; one compensation-related proposal not approved.
Dec 22	Major customer win	Positive	+1.8%	Signed multi-year, multimillion-dollar agreement for DefensePro DDoS solution.
Nov 18	AI security product launch	Positive	+1.0%	Launched LLM Firewall to block prompt injection and exfiltration for GenAI apps.
Nov 17	AGM announcement	Neutral	-4.6%	Announced date, agenda and logistics for 2025 Annual General Meeting.

Pattern Detected

Across recent company and AI-related announcements, RDWR’s price reaction aligned with the apparent news tone in most cases, with only one notable divergence following a capacity expansion update.

Recent Company History

Over the last few months, RDWR reported several operational and AI-security developments. On Dec 22, 2025, it announced a multi‑year, multimillion‑dollar customer win tied to its DefensePro DDoS solution, which saw a +1.84% 24‑hour move. An AI-focused LLM Firewall launch on Nov 18, 2025 led to a +0.99% reaction. By contrast, doubling cloud security capacity to 30 Tbps on Jan 06, 2026 coincided with a modest -0.54% move. The current AI vulnerability disclosure fits into this ongoing narrative of expanding AI and cloud security capabilities.

Market Pulse Summary

This announcement details Radware’s discovery of “ZombieAgent,” a zero-click AI agent vulnerability ...

Analysis

This announcement details Radware’s discovery of “ZombieAgent,” a zero-click AI agent vulnerability enabling silent cloud-based data exfiltration and persistent agent hijacking. It reinforces the company’s focus on emerging AI and agentic threat surfaces, following earlier LLM and AI security launches. Historically, AI-tagged news for RDWR produced average moves near 0.91%. Investors monitoring this theme may watch how effectively Radware converts such research leadership into product adoption and long-term demand for its AI-driven protection stack.

Key Terms

zero-click, indirect prompt injection, data exfiltration, endpoint detection and response, +4 more

8 terms

zero-click technical

"ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability"

An interaction or event that happens without a person having to click, tap or take any visible action. For investors this matters because it can mean information reaches audiences (or search engines answers users) without driving page views, changing how press releases and web traffic are measured, and it can also describe security flaws that allow attackers to compromise systems without user action — both affecting a company’s reputation, traffic metrics and risk profile.

indirect prompt injection technical

"a new zero-click indirect prompt injection (IPI) vulnerability targeting OpenAI’s Deep Research agent"

An indirect prompt injection is a covert way to trick an AI system by hiding instructions in sources the AI reads—like documents, web pages, or data feeds—rather than in the direct user query. For investors, it matters because automated tools that summarize filings, score sentiment, or generate trading signals can be misled into producing false or biased outputs, creating risks for bad investment decisions, compliance failures, or market-moving misinformation.

data exfiltration technical

"enabling silent takeover and cloud-based data exfiltration"

Data exfiltration is the unauthorized copying or removal of sensitive information from an organization’s systems, like someone sneaking files out of a locked office. It matters to investors because stolen data can lead to direct financial loss, regulatory fines, legal liability, damage to customer trust, and operational disruption — all of which can reduce revenue and share value and create unpredictable costs for the company.

endpoint detection and response technical

"No traditional security tools such as secure web gateways, endpoint detection and response or firewalls"

Endpoint detection and response (EDR) is a cybersecurity system that watches individual devices like computers and servers for suspicious activity and helps stop attacks in real time, combining automated alerts with tools to investigate and remediate threats. For investors, EDR matters because it reduces the risk of data breaches and operational downtime—protecting revenue, regulatory standing and company reputation much like a security camera plus rapid response team protects a storefront.

secure web gateways technical

"No traditional security tools such as secure web gateways, endpoint detection and response"

A secure web gateway is a security system that sits between a company’s users and the public internet to inspect and control web traffic, blocking malicious sites, unwanted downloads, and accidental data leaks. Think of it as a trained security guard or filter at the company’s internet entrance that enforces rules and keeps threats out. For investors, widespread use or sales growth of these tools signals attention to cyber risk, regulatory compliance, and potential recurring revenue for vendors.

agentic AI technical

"the rapidly expanding “agentic threat surface,” where AI agents read emails"

Agentic AI refers to computer systems that can make their own decisions and take actions without needing someone to tell them what to do each time. It's like giving a robot a degree of independence to solve problems or achieve goals on its own, which matters because it could change how we work and interact with technology in everyday life.

cloud infrastructure technical

"all malicious actions occur within OpenAI’s cloud infrastructure, not the user’s device"

Cloud infrastructure is the network of remote servers, storage, networking and basic software that companies rent over the internet instead of owning their own physical data centers — like using a utility grid or renting a fully equipped office rather than buying a building and furniture. Investors care because it changes how a company spends money, scales operations, launches products and manages risk: it can lower upfront costs, speed growth, concentrate vendor or outage risk, and influence recurring revenue and margins.

worm-like campaign technical

"entry point to a growing, automated, worm-like campaign inside the organization"

A worm-like campaign is a cyberattack or disinformation effort that spreads automatically and rapidly across networks, devices, or user accounts rather than relying solely on one-by-one manual actions. Like a contagious rumor or a biological worm that moves from host to host, it can amplify damage by infecting many systems quickly; for investors that means higher risk of operational disruption, data breaches, regulatory fines, reputational harm and sudden moves in a company’s stock price.

AI-generated analysis. Not financial advice.

The vulnerability directs ChatGPT’s Deep Research agent to exfiltrate sensitive customer data autonomously from OpenAI servers and could fuel a growing, automated, worm-like attack campaign inside organizations

MAHWAH, N.J., Jan. 08, 2026 (GLOBE NEWSWIRE) -- Radware^® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today announced the discovery of ZombieAgent, a new zero-click indirect prompt injection (IPI) vulnerability targeting OpenAI’s Deep Research agent. The vulnerability could expose enterprises to invisible data theft, persistent agent hijacking, and service-side execution that could bypass an organization’s security controls.

Persistent Memory Manipulation and Autonomous Propagation

ZombieAgent initially resembles Radware’s previously disclosed ShadowLeak vulnerability, which shows how indirect prompt injection techniques could be used to influence the behavior of AI agents. However, Radware’s researchers also identified a more advanced attack stage in which ZombieAgent implants malicious rules directly into an agent’s long-term memory or working notes. This allows the attacker to establish persistence without re-engaging the target. It executes hidden actions every time the agent is used, silently collecting sensitive information over time. It is also capable of propagating the attack across additional contacts or email recipients.

A single malicious email could therefore become the entry point to a growing, automated, worm-like campaign inside the organization and beyond.

“ZombieAgent illustrates a critical structural weakness in today’s agentic AI platforms,” said Pascal Geenens, vice president, threat intelligence, Radware. “Enterprises rely on these agents to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud. This creates a dangerous blind spot that attackers are already exploiting.”

Zero-Click Exploitation Through Hidden Instructions

Leveraging techniques learned from ShadowLeak, Radware’s threat intelligence research team discovered the new flaw in the guardrails deployed to protect against prompt injection vulnerabilities. Attackers can embed hidden directives into everyday emails, documents, or webpages. When an AI agent processes this content—such as during routine inbox summarization—the agent interprets the concealed instructions as legitimate commands. Once activated, the compromised agent could collect mailbox data, access sensitive files, and communicate with external servers. No user interaction is required and no “click” is needed to trigger the attack.

A defining characteristic of ZombieAgent is that all malicious actions occur within OpenAI’s cloud infrastructure, not the user’s device, nor the companies’ IT environment. As a result, no endpoint logs record the activity. No network traffic passes through corporate security stacks. No traditional security tools such as secure web gateways, endpoint detection and response or firewalls detect the sensitive data exfiltration. Therefore, no traditional alert indicates the compromise to the user. This cloud-side invisibility could make ZombieAgent exceptionally difficult to detect or stop using existing enterprise controls.

ZombieAgent builds on Radware’s earlier “ShadowLeak” findings, further demonstrating how easily attackers can exploit the rapidly expanding “agentic threat surface,” where AI agents read emails, interact with corporate systems, initiate workflows, and make decisions autonomously. Radware disclosed the vulnerability to OpenAI under responsible disclosure protocols.

For more information, review Radware’s latest Threat Advisory and Blog article, “ZombieAgent: The Agentic Revolution Comes with Malicious Gifts.”

Radware Webinar on ZombieAgent

Radware will host a live webinar on January 20, 2026, “ZombieAgent: New ChatGPT Vulnerabilities Let Data Theft Continue (and Spread)”

Security leaders and AI developers are invited to attend and explore the anatomy of the ZombieAgent attack, best practices for securing AI agents and the future of responsible AI threat research.

Radware conducts threat research on behalf of the wider cybersecurity community, ensuring security professionals have the same insights as attackers. The complete research, including technical breakdowns and defense recommendations, will be available at Radware’s Security Research Center following the webinar.

About Radware
Radware^®(NASDAQ: RDWR) is a global leader in application security and delivery solutions for multi-cloud environments. The company’s cloud application, infrastructure, and API security solutions use AI-driven algorithms for precise, hands-free, real-time protection from the most sophisticated web, application, and DDoS attacks, API abuse, and bad bots. Enterprises and carriers worldwide rely on Radware’s solutions to address evolving cybersecurity challenges and protect their brands and business operations while reducing costs. For more information, please visit the Radware website.

Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, X, and YouTube.

©2026 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.

The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.

Safe Harbor Statement
This press release includes “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Any statements made herein that are not statements of historical fact, including statements about Radware’s plans, outlook, beliefs, or opinions, are forward-looking statements. Generally, forward-looking statements may be identified by words such as “believes,” “expects,” “anticipates,” “intends,” “estimates,” “plans,” and similar expressions or future or conditional verbs such as “will,” “should,” “would,” “may,” and “could.” For example, when we say in this press release that enterprises rely on agentic AI platforms to make decisions and access sensitive systems, but they lack visibility into how agents interpret untrusted content or what actions they execute in the cloud and that this creates a dangerous blind spot that attackers are already exploiting, we are using forward-looking statements. Because such statements deal with future events, they are subject to various risks and uncertainties, and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware’s current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions, including as a result of the state of war declared in Israel in October 2023 and instability in the Middle East, the war in Ukraine, tensions between China and Taiwan, financial and credit market fluctuations (including elevated interest rates), impacts from tariffs or other trade restrictions, inflation, and the potential for regional or global recessions; our dependence on independent distributors to sell our products; our ability to manage our anticipated growth effectively; our business may be affected by sanctions, export controls, and similar measures, targeting Russia and other countries and territories, as well as other responses to Russia’s military conflict in Ukraine, including indefinite suspension of operations in Russia and dealings with Russian entities by many multi-national businesses across a variety of industries; the ability of vendors to provide our hardware platforms and components for the manufacture of our products; our ability to attract, train, and retain highly qualified personnel; intense competition in the market for cybersecurity and application delivery solutions and in our industry in general, and changes in the competitive landscape; our ability to develop new solutions and enhance existing solutions; the impact to our reputation and business in the event of real or perceived shortcomings, defects, or vulnerabilities in our solutions, if our end-users experience security breaches, or if our information technology systems and data, or those of our service providers and other contractors, are compromised by cyber-attackers or other malicious actors or by a critical system failure; our use of AI technologies that present regulatory, litigation, and reputational risks; risks related to the fact that our products must interoperate with operating systems, software applications and hardware that are developed by others; outages, interruptions, or delays in hosting services; the risks associated with our global operations, such as difficulties and costs of staffing and managing foreign operations, compliance costs arising from host country laws or regulations, partial or total expropriation, export duties and quotas, local tax exposure, economic or political instability, including as a result of insurrection, war, natural disasters, and major environmental, climate, or public health concerns; our net losses in the past and the possibility that we may incur losses in the future; a slowdown in the growth of the cybersecurity and application delivery solutions market or in the development of the market for our cloud-based solutions; long sales cycles for our solutions; risks and uncertainties relating to acquisitions or other investments; risks associated with doing business in countries with a history of corruption or with foreign governments; changes in foreign currency exchange rates; risks associated with undetected defects or errors in our products; our ability to protect our proprietary technology; intellectual property infringement claims made by third parties; laws, regulations, and industry standards affecting our business; compliance with open source and third-party licenses; complications with the design or implementation of our new enterprise resource planning (“ERP”) system; our reliance on information technology systems; our ESG disclosures and initiatives; and other factors and risks over which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, refer to Radware’s Annual Report on Form 20-F, filed with the Securities and Exchange Commission (SEC), and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the SEC’s website at www.sec.gov or may be obtained on Radware’s website at www.radware.com.

Media Contact:

Gina Sorice 
Radware
GinaSo@radware.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/e3d98be3-0ca0-464c-9ca5-971e0bfdc842

FAQ

What is ZombieAgent and which AI agent does it target (RDWR)?

ZombieAgent is a zero-click indirect prompt injection vulnerability targeting OpenAI's Deep Research agent that can implant persistent malicious rules.

How does ZombieAgent exfiltrate data and evade detection for RDWR investors?

It executes within OpenAI's cloud so endpoint logs and network controls do not record the data exfiltration, making traditional tools ineffective.

Can ZombieAgent spread inside an organization and when was Radware's disclosure date?

Yes; a single malicious email can enable worm-like propagation across contacts. Radware announced the finding on January 8, 2026.

What steps has Radware taken to inform the community about ZombieAgent?

Radware disclosed the vulnerability to OpenAI, will publish full research, and will host a live webinar on January 20, 2026.

Does ZombieAgent require user interaction to trigger data theft?

No; ZombieAgent is described as a zero-click exploit that activates when an AI agent processes hidden directives.