CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Increased AI Enterprise Compromise Risks from AI Agents

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

AI agents integrated into enterprise environments pose a significant security risk. Attackers can hijack these agents by knowing a user's email address, without needing credentials. Once compromised, these agents can exfiltrate sensitive data and manipulate users by exploiting the trust placed in AI assistants. This new attack surface affects major AI platforms from Microsoft, Google, OpenAI, Salesforce, and others, making enterprise environments highly vulnerable to zero-click exploits and other sophisticated attacks. The problem of securing AI agents is complex and requires defense in depth and a shift in security mindset. Traditional approaches like prompt injection mitigation have seen limited success, and relying solely on vendor fixes is insufficient. Organizations must develop comprehensive security programs, assuming breaches will occur and managing risks accordingly.

Timeline

  1. 19.08.2025 23:54 📰 1 articles · ⏱ 27d ago

    AI agents in enterprise environments exploited for data exfiltration and manipulation

    AI agents integrated into enterprise environments have evolved to perform complex actions on behalf of users, such as accessing emails, documents, calendars, and even development environments. This increased capability introduces a significant security risk: attackers can hijack these AI agents by simply knowing a user's email address, without needing credentials. Once compromised, these agents can exfiltrate sensitive data and manipulate users by exploiting the trust placed in AI assistants. This new attack surface affects major AI platforms from Microsoft, Google, OpenAI, Salesforce, and others, making enterprise environments highly vulnerable to zero-click exploits and other sophisticated attacks.

    Show sources

Information Snippets

Similar Happenings

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Critical SAP S/4HANA Command Injection Vulnerability Exploited

A critical command injection vulnerability in SAP S/4HANA (CVE-2025-42957) is being actively exploited in the wild. The flaw, with a CVSS score of 9.9, allows attackers with low-privileged user access to execute arbitrary ABAP code, bypass authorization checks, and fully compromise the SAP environment. This can lead to data theft, fraud, or ransomware installation. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA, as well as several other SAP products and versions. SecurityBridge Threat Research Labs discovered the vulnerability and reported it to SAP on June 27, 2025. The vendor fixed the vulnerability on August 11, 2025, but several systems have not applied the available security updates and are now being targeted by hackers. Exploitation activity surged dramatically after the patch was released. Organizations are advised to apply patches immediately, monitor logs for suspicious activity, and implement additional security measures.

Malicious link spreading via Grok AI on X

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.

Sitecore Experience Platform Exploit Chain Enabling Remote Code Execution

An exploit chain has been identified in the Sitecore Experience Platform, combining cache poisoning and remote code execution vulnerabilities. The chain leverages four new flaws (CVE-2025-53693, CVE-2025-53691, CVE-2025-53694, CVE-2025-53690) to achieve unauthorized access and code execution. The exploit chain involves HTML cache poisoning through unsafe reflections and insecure deserialization, potentially leading to full compromise of Sitecore instances. The vulnerabilities were disclosed by watchTowr Labs and patches were released by Sitecore in June and July 2025. Additionally, a new zero-day vulnerability (CVE-2025-53690) was exploited by threat actors to deliver malware and perform extensive internal reconnaissance. The attackers targeted the '/sitecore/blocked.aspx' endpoint to achieve remote code execution and executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. The vulnerability is a ViewState deserialization flaw under active exploitation in the wild, affecting several Sitecore products including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The attack leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. CISA has ordered immediate patching of the vulnerability by September 25, 2025. The wider impact of the vulnerability has not yet surfaced, but it is expected to do so.

Active Exploitation of FreePBX Zero-Day Vulnerability CVE-2025-57819

A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is being actively exploited. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects specific versions of FreePBX, and exploitation began on or before August 21, 2025. Sangoma has released emergency patches for the vulnerability. Users are advised to update to the latest versions, restrict public access to the administrator control panel, and follow additional security recommendations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-57819 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by September 19, 2025.