Research conducted by cybersecurity company Zenity found that many of the widely known AI agents and assistants could be vulnerable to hijacking attacks from hackers.
Presenting their findings at the Black Hat USA cybersecurity conference, Zenity showed how hackers could exfiltrate data and impersonate users to gain access to the agent.
Beyond infiltrating the agent, the study reveals that the attackers would then gain memory persistence, allowing them to maintain long-term access and control. Zenity identified a number of companies at risk, including Microsoft, Google, OpenAI, and Salesforce.
How the Agent Is Infiltrated
At the cybersecurity conference, Zenity introduced AgentFlayer, a suite of 0-click exploit chains that enables attackers to hijack AI agents silently – without any user interaction – across a number of well-known enterprise AI tools.
The named real-world use cases include:
- OpenAI: ChatGPT could be easily compromised using an email-based prompt injection that granted access to connected Google Drive accounts.
- Microsoft: Copilot Studio’s customer support agent leaked entire CRM databases. Research identified more than 3,000 deployed agents that were at risk of leaking internal tools.
- Salesforce: the CRM giant’s Einstein platform was manipulated to reroute customer communications to researcher-controlled e-mail accounts.
Google’s Gemini and Microsoft 365’s Copilot could also be manipulated into insider threats, targeting users with social-engineering attacks and stealing sensitive conversations.
Zenity have disclosed all their findings to the named companies, with some of them patching these issues immediately.
A spokesperson from Google told Salesforce Ben: “We have recently deployed new, layered defenses that fix this type of issue. Having a layered defense strategy against prompt injection attacks is crucial – see our recent blog post with details on the protections we’ve deployed to keep our users safe.”
We also reached out to Salesforce, which stated: “Salesforce is aware of the vulnerability reported by Zenity and has implemented layered, preventive controls designed to mitigate prompt injection risks. The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”
Is the Agentic Boom Premature?
As enterprises, including Salesforce, race to embed AI agents across workflows, a glaring security shortfall is starting to emerge.
Zenity research highlights that AI agents with extra security measures – like Salesforce agents, for example – were still bypassed by Zenity and can potentially be weaponized.
Agentforce sits inside the Einstein Trust Layer, which is meant to protect against misuse and data leakage. One of its guardrails ensures the LLM treats tool results as data, not instructions. But Zenity showed this could be bypassed by hiding malicious instructions inside Salesforce records.
When the agent processed those records, the instructions triggered harmful actions, such as quietly corrupting customer data or rerouting sensitive communications, all without tripping Salesforce’s built-in defenses.
In other words, Salesforce’s push for agent-first innovation may be outpacing its maturity in agent-centric security.
Without dedicated defenses, such as governance frameworks, visibility tools, and runtime anomaly detection, organizations risk building on sand. For Salesforce customers and admins, accelerating adoption must go hand-in-hand with incorporating resilient security practices.
Final Thoughts
Amid recent Salesforce-related security incidents, this feels like yet another reason for users to be cautious, especially as Agentforce adoption accelerates.
The silver lining is that research teams like Zenity are uncovering these vulnerabilities before malicious actors can exploit them.
Still, skepticism remains. Organizations are being asked to entrust agents with highly sensitive data, and many are questioning whether agentic AI is truly ready for that responsibility.
