|
| 1 | +# ASI Agentic Exploits & Incidents Master List |
| 2 | + |
| 3 | +The ASI Exploits and Incidents is intended to help inform and ground our **OWASP Top 10 for Agentic Applications** to real world incidents and exploits. |
| 4 | +It will contribute to but not substitute any existing vulnerability reporting in the **GenAI Security project**. |
| 5 | +Similarly, any aspects relating to incident response should be discussed with the **CTI initiative** that publishes the incident response guide. |
| 6 | + |
| 7 | +## Guidelines |
| 8 | +- Must **NOT** repeat other vendors but reference their work. |
| 9 | +- Must analyse incidents with **agentic threats in mind** — not just LLM classifications like *data leaks* and *prompt injection*. |
| 10 | +- Must focus on **agentic applications** (as defined in the ASI Threats & Mitigations) and distinguish them from *simple chatbots*. |
| 11 | + |
| 12 | +**Lead:** Ron F. Del Rosario |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## Exploits & Incidents Table |
| 17 | + |
| 18 | +| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis | |
| 19 | +|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------| |
| 20 | +| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | - | |
| 21 | +| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | - | |
| 22 | +| **Hub MCP Prompt Injection (Cross-Context)** | *(details missing)* | *(unspecified)* | - | |
| 23 | +| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | - | |
| 24 | +| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | - | |
| 25 | +| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | - | |
| 26 | +| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | - | |
| 27 | +| **ToolShell RCE via SharePoint – CVE-2025-5377 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | - | |
| 28 | +| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | - | |
| 29 | +| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | - | |
| 30 | +| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | - | |
| 31 | +| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | - | |
| 32 | +| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | - | |
| 33 | + |
| 34 | +--- |
0 commit comments