{"id":"https://openalex.org/W4415090399","doi":"https://doi.org/10.48550/arxiv.2509.10540","title":"EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System","display_name":"EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System","publication_year":2025,"publication_date":"2025-09-06","ids":{"openalex":"https://openalex.org/W4415090399","doi":"https://doi.org/10.48550/arxiv.2509.10540"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2509.10540","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.10540","pdf_url":"https://arxiv.org/pdf/2509.10540","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2509.10540","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5009666929","display_name":"M. Pavan Reddy","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Reddy, Pavan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5043667565","display_name":"Aditya Sanjay Gujral","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gujral, Aditya Sanjay","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5009666929"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11044","display_name":"Particle Detector Development and Performance","score":0.9646999835968018,"subfield":{"id":"https://openalex.org/subfields/3106","display_name":"Nuclear and High Energy Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11044","display_name":"Particle Detector Development and Performance","score":0.9646999835968018,"subfield":{"id":"https://openalex.org/subfields/3106","display_name":"Nuclear and High Energy Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11032","display_name":"VLSI and Analog Circuit Testing","score":0.9297999739646912,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9272000193595886,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7452999949455261},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.487199991941452},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4603999853134155},{"id":"https://openalex.org/keywords/chaining","display_name":"Chaining","score":0.41690000891685486},{"id":"https://openalex.org/keywords/interdiction","display_name":"Interdiction","score":0.4097000062465668},{"id":"https://openalex.org/keywords/rootkit","display_name":"Rootkit","score":0.3862999975681305},{"id":"https://openalex.org/keywords/blueprint","display_name":"Blueprint","score":0.3643999993801117},{"id":"https://openalex.org/keywords/forward-chaining","display_name":"Forward chaining","score":0.3546000123023987},{"id":"https://openalex.org/keywords/production","display_name":"Production (economics)","score":0.3537999987602234}],"concepts":[{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7452999949455261},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7089999914169312},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6274999976158142},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.487199991941452},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4603999853134155},{"id":"https://openalex.org/C49020025","wikidata":"https://www.wikidata.org/wiki/Q1059099","display_name":"Chaining","level":2,"score":0.41690000891685486},{"id":"https://openalex.org/C124119293","wikidata":"https://www.wikidata.org/wiki/Q6046081","display_name":"Interdiction","level":2,"score":0.4097000062465668},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.3862999975681305},{"id":"https://openalex.org/C155911762","wikidata":"https://www.wikidata.org/wiki/Q422321","display_name":"Blueprint","level":2,"score":0.3643999993801117},{"id":"https://openalex.org/C142614401","wikidata":"https://www.wikidata.org/wiki/Q777433","display_name":"Forward chaining","level":3,"score":0.3546000123023987},{"id":"https://openalex.org/C2778348673","wikidata":"https://www.wikidata.org/wiki/Q739302","display_name":"Production (economics)","level":2,"score":0.3537999987602234},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.3393000066280365},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.33660000562667847},{"id":"https://openalex.org/C129916263","wikidata":"https://www.wikidata.org/wiki/Q1141183","display_name":"Backward chaining","level":4,"score":0.3328999876976013},{"id":"https://openalex.org/C141141315","wikidata":"https://www.wikidata.org/wiki/Q2379942","display_name":"Guard (computer science)","level":2,"score":0.3262999951839447},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.323199987411499},{"id":"https://openalex.org/C2992838255","wikidata":"https://www.wikidata.org/wiki/Q856887","display_name":"Security guard","level":2,"score":0.3222000002861023},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.3206000030040741},{"id":"https://openalex.org/C56666940","wikidata":"https://www.wikidata.org/wiki/Q788790","display_name":"Documentation","level":2,"score":0.3206000030040741},{"id":"https://openalex.org/C13159133","wikidata":"https://www.wikidata.org/wiki/Q365674","display_name":"Security engineering","level":5,"score":0.3100999891757965},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.30709999799728394},{"id":"https://openalex.org/C2780938662","wikidata":"https://www.wikidata.org/wiki/Q973710","display_name":"Tying","level":2,"score":0.30300000309944153},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.2996000051498413},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.28200000524520874},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.26980000734329224},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.26510000228881836},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2635999917984009},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.25360000133514404}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2509.10540","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.10540","pdf_url":"https://arxiv.org/pdf/2509.10540","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2509.10540","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2509.10540","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2509.10540","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.10540","pdf_url":"https://arxiv.org/pdf/2509.10540","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1],"model":[2],"(LLM)":[3],"assistants":[4],"are":[5],"increasingly":[6],"integrated":[7],"into":[8],"enterprise":[9],"workflows,":[10],"raising":[11],"new":[12],"security":[13,83,121],"concerns":[14],"as":[15,153],"they":[16],"bridge":[17],"internal":[18],"and":[19,73,102,118,144,163],"external":[20],"data":[21,46],"sources.":[22],"This":[23],"paper":[24],"presents":[25],"an":[26],"in-depth":[27],"case":[28],"study":[29],"of":[30,106,139],"EchoLeak":[31],"(CVE-2025-32711),":[32],"a":[33,49,75,104,154,165],"zero-click":[34],"prompt":[35,110,151],"injection":[36,152],"vulnerability":[37,157],"in":[38,159],"Microsoft":[39,76],"365":[40],"Copilot":[41],"that":[42],"enabled":[43],"remote,":[44],"unauthenticated":[45],"exfiltration":[47],"via":[48],"single":[50],"crafted":[51],"email.":[52],"By":[53],"chaining":[54],"multiple":[55],"bypasses-evading":[56],"Microsofts":[57],"XPIA":[58],"(Cross":[59],"Prompt":[60],"Injection":[61],"Attempt)":[62],"classifier,":[63],"circumventing":[64],"link":[65],"redaction":[66],"with":[67],"reference-style":[68],"Markdown,":[69],"exploiting":[70],"auto-fetched":[71],"images,":[72],"abusing":[74],"Teams":[77],"proxy":[78],"allowed":[79],"by":[80],"the":[81,124,137],"content":[82,120],"policy-EchoLeak":[84],"achieved":[85],"full":[86],"privilege":[87],"escalation":[88],"across":[89],"LLM":[90],"trust":[91],"boundaries":[92],"without":[93],"user":[94],"interaction.":[95],"We":[96],"analyze":[97],"why":[98],"existing":[99],"defenses":[100],"failed,":[101],"outline":[103],"set":[105],"engineering":[107],"mitigations":[108],"including":[109],"partitioning,":[111],"enhanced":[112],"input/output":[113],"filtering,":[114],"provenance-based":[115],"access":[116],"control,":[117],"strict":[119],"policies.":[122],"Beyond":[123],"specific":[125],"exploit,":[126],"we":[127],"derive":[128],"generalizable":[129],"lessons":[130],"for":[131,167],"building":[132],"secure":[133],"AI":[134,161],"copilots,":[135],"emphasizing":[136],"principle":[138],"least":[140],"privilege,":[141],"defense-in-depth":[142],"architectures,":[143],"continuous":[145],"adversarial":[146],"testing.":[147],"Our":[148],"findings":[149],"establish":[150],"practical,":[155],"high-severity":[156],"class":[158],"production":[160],"systems":[162],"provide":[164],"blueprint":[166],"defending":[168],"against":[169],"future":[170],"AI-native":[171],"threats.":[172]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-10-12T00:00:00"}