AI Attack Surface: How Agents Raise the Cyber Stakes TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityCybersecurity OperationsCyber RiskСloud SecurityNewsThe AI Attack Surface: How Agents Raise the Cyber StakesResearcher shows how agentic AI is vulnerable to hijacking to subvert an agent's goals and how agent interaction can be altered to compromise whole networks.Alexander Culafi, Senior News Writer, Dark ReadingNovember 19, 20254 Min ReadSource: United Archives GmbH via Alamy Stock PhotoAgentic AI tools are susceptible to the same risks as large language model (LLM) chatbots, but their autonomous capabilities may make their capacity to leak data and compromise organizations even worse. AI agents have taken the world by storm in recent months, as companies have bought and sold these tools under the premise that an advanced LLM could autonomously reason and complete tasks at a professional level, without much human interaction. But as time progresses, security concerns in the new AI age have grown more complex. For instance, without proper access controls, an LLM can easily leak sensitive data either through a prompt injection or even an otherwise intentional data exposure. And between vendors overpromising the potential of LLMs and customers hastily implementing them, the shared responsibility model has become complicated, to say the least. According to Accorian AI engineer Nagarjun Rallapalli, because AI agents are more capable than something like a traditional LLM chatbot — they can make plans, access tools they might not otherwise have access to, and create goals for tasks — the potential for risk increases. At the upcoming Black Hat Middle East & Africa, Rallapalli will show how modern agentic AI is vulnerable to a whole host of attack types: threat actors can use prompts to hijack an agent's goals and make it act against its intended functions, carry out time-based attacks, change how agents interact with each other to compromise whole networks, operate outside system limits and avoid oversights, leak data, and escalate privileges.Related:Malicious Npm Packages Abuse Adspect Cloaking in Crypto ScamRallapalli's session, entitled "The Agent Had a Plan — So Did I: Top Attacks on OWASP Agentic AI Systems," will cover a number of vulnerabilities and describe how they can be exploited according to OWASP's list of agentic AI threats. At the most extreme level, AI agents can be manipulated to abuse code-generation tools to create new attack vectors, including opportunities to execute remote code.The Agentic AI Threat LandscapeAlthough Rallapalli was unable to share with Dark Reading all the vulnerabilities he'll be presenting next month (some are currently in the disclosure process and haven't gone public as of this writing), he did offer one example.First reported over the summer, CVE-2025-53773 is a vulnerability in which the VS Code and GitHub Copilot Agent can be manipulated to create files without user authorization and ultimately fully compromise a developer's machine. Researcher Johann Rehberger found a single line command that would allow the agent to approve all tools automatically (which Rehberger called "YOLO mode" in a blog about the issue). Related:Critical Fortinet FortiWeb WAF Bug Exploited in the WildIn an attack, the attacker would inject a prompt somewhere the agent might view, such as in a Web page or GitHub issue. They would first use the auto-approve line through the malicious prompt and then use a secondary prompt to run a terminal command. In one demo presented in the blog, Rehberger got the agent to set its own permissions and then pop open a window for the calculator app. This, Rallapalli tells Dark Reading, will be presented as an example of agent goal manipulation. Protect Yourself Against Agentic AI ThreatsAs tends to be the case with LLMs, one of the best ways to protect oneself against AI threats is to use access controls that ensure the model you're working with never has access to more data than it needs to perform its function, and that said data is never exposed to external users. As Rallapalli explains, for any LLM that will interact with a user, the human operator should set limits, which can include things like keyword-based filtering at the input and output level. In other words, the model should have guardrails to help ensure that something problematic the user types in does not result in an output. And conversely, if the model begins to output something problematic, it gets blocked before reaching the end user. Related:Hardened Containers Look to Eliminate Common Source of VulnerabilitiesFor agents, more specifically, the presenter says organizations should have whitelists and blacklists regarding which tools are supplied to the model. "For example, if I have five sets of APIs that have well defined processes, only these five sets of APIs should be whitelisted for usage because otherwise the model can go rogue and call any API," he says. "The whitelisting of rules is very crucial."Read more about:Black Hat NewsAbout the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The cybersecurity landscape is rapidly evolving, and a key area of concern is the rise of agentic AI. As detailed by Alexander Culafi for Dark Reading, these AI agents, initially perceived as advanced LLM chatbots capable of autonomous task completion, present significant vulnerabilities. The core issue lies in their increased capabilities – agents can make plans, access tools, and create goals, dramatically elevating the potential for risk compared to traditional LLMs. This heightened capacity makes them susceptible to manipulation and misuse, transforming them into potent attack vectors.

Researcher Johann Rehberger’s findings highlighted a critical vulnerability in VS Code and GitHub Copilot Agent, demonstrating how a single, seemingly innocuous command – dubbed “YOLO mode” – could allow an agent to bypass security controls, gain unauthorized access, and ultimately compromise a developer’s machine. This exemplifies the potential for agent goal manipulation, where attackers can direct an agent to perform actions against its intended functions. Culafi emphasizes the importance of implementing robust access controls, including keyword filtering and whitelisting of approved tools, to mitigate these risks. Organizations must restrict the tools available to these agents to prevent misuse.

The agentic AI threat landscape is not solely defined by individual vulnerabilities but also by the potential for interaction between agents. As described by Accorian AI engineer Nagarjun Rallapalli, agents can alter interactions with each other, creating networks of compromised systems. This interconnectedness amplifies the potential impact of a single attack. Protecting against this requires a layered approach, with a focus on limiting data exposure and maintaining strict control over agent behavior.

A key demonstration of this risk involves CVE-2025-53773, where manipulation of the VS Code and GitHub Copilot Agent led to unauthorized file creation and machine compromise. This illustrates the agent's capacity to leverage existing tools, like a calculator app, to execute malicious actions.

To defend against agentic AI threats, organizations should prioritize access controls – restricting data access and employing keyword-based filtering. Furthermore, whitelisting approved tools is crucial to preventing rogue actions. The potential for agent interaction and network compromise necessitates a proactive and layered security posture. Addressing these vulnerabilities proactively is critical given the evolving nature of agentic AI and its potential to reshape the cyber threat landscape.