The enterprise just handed attackers a skeleton key by building AI systems that can't tell orders from data.
The Summary
- Prompt injection topped the 2025 OWASP LLM vulnerability list for the second year running, while CrowdStrike documented attacks at 90+ organizations where injected prompts stole credentials and crypto
- AI-enabled attack volume jumped 89% year-over-year, with prompts functioning as "the new malware"
- Documented exploits include Slack AI data exfiltration from private channels and EchoLeak (CVE-2025-32711, CVSS 9.3), the first zero-click prompt injection vulnerability
The Signal
Two years into the enterprise AI deployment wave, security researchers and threat intelligence teams are reaching the same conclusion from different angles. The fundamental architecture of LLM-powered systems creates an exploitable gap: these models cannot reliably distinguish between instructions and data. That design flaw becomes an attack surface the moment you connect an LLM to real business systems.
CrowdStrike tracked over 280 adversary groups in 2025 and documented prompt injection attacks at more than 90 organizations. The pattern is consistent. Attackers embed malicious instructions in content the AI system will ingest: a Slack message, an uploaded document, a support ticket, a retrieved web page. When the LLM processes that content, it executes the hidden instruction as if it came from the system designer.
"Prompts are the new malware."
The Slack AI case shows how this works in practice. Researchers at PromptArmor found they could exfiltrate data from private channels by placing instructions in public channels or uploaded files. The AI read the malicious prompt, treated it as legitimate system instruction, and handed over API keys from developer channels the attacker had no access to. No permission bypass needed. No exploit chain. Just text that the model couldn't recognize as adversarial.
The EchoLeak vulnerability demonstrates the next level: zero-click exploitation. Attackers don't need user interaction. They just need the AI agent to encounter their payload during routine operation. Retrieval-Augmented Generation (RAG) pipelines make this trivial. Every time your AI assistant searches internal documentation or external sources to answer a question, it's potentially ingesting attacker-controlled instructions.
Key escalation points:
- Agent systems with tool-calling capabilities can execute arbitrary commands once compromised
- RAG pipelines automatically ingest untrusted content by design
- Model routers that select between different LLMs create multiple injection surfaces
The 89% year-over-year increase in AI-enabled attack volume isn't about attackers using AI to write better phishing emails. It's about using AI systems as the attack vector itself. When your customer support bot, internal search tool, or coding assistant can be reprogrammed on the fly by anyone who figures out the right sequence of words, you've deployed an access control system with no access control.
This isn't a bug that gets patched. It's the architecture. Current LLMs are trained to follow instructions embedded in text. They're trained to be helpful. They're trained to extract meaning from context. Those capabilities make them useful. They also make them manipulable. The security community has known this since GPT-3. Enterprises deployed anyway.
The Implication
If you're building with AI agents, assume every piece of content they touch is potentially adversarial. That means treating RAG pipelines like you treat user input in a SQL injection context: sanitize, validate, constrain. It means limiting agent tool access to the absolute minimum necessary. It means logging every action an agent takes and monitoring for unexpected behavior patterns.
For organizations already running LLM-powered systems in production, the prompt injection threat isn't theoretical anymore. The attacks are documented, the adversaries are active, and the vulnerability is baked into the model architecture. You can't fix the LLM itself. You can only engineer constraints around it. That's expensive, reduces functionality, and slows deployment. But it's cheaper than learning you've been owned because someone put the right words in a public Slack channel six months ago.