EchoLeak (CVE-2025-32711): The Zero-Click Vulnerability That Reveals a Flaw in RAG-Based AI Itself

Imagine receiving an email you never open. No attachment you click, no link you follow. The email simply arrives in your inbox, and somewhere in the background, your AI assistant quietly reads it, inherits its instructions, and begins exfiltrating your organization's sensitive data to an external server. No prompt. No warning. No trace of user interaction. That is not a thought experiment: it is precisely what Aim Labs researchers documented in January 2025 when they discovered CVE-2025-32711, the vulnerability now known as EchoLeak.

What EchoLeak Actually Did (and How) According to

the academic case study published on arXiv, EchoLeak is the first confirmed zero-click prompt injection exploit in a production large language model system. The vulnerability lived inside Microsoft 365 Copilot, the AI assistant that pulls context from a user's emails, files, and calendar via a Retrieval Augmented Generation (RAG) architecture. RAG is the design pattern where the model fetches live data from your environment to answer questions: useful in theory, dangerous in practice when that fetched data can contain instructions the model obeys. The attack chain, as detailed by the arXiv paper, worked by chaining four distinct bypasses in sequence. First, the malicious payload evaded Microsoft's XPIA (Cross Prompt Injection Attempt) classifier, the very defense built to catch this category of threat. Second, it circumvented link redaction by using reference-style Markdown formatting, a syntactic trick the sanitizer did not catch. Third, it exploited Copilot's behavior of auto-fetching images, causing the model to make an outbound request carrying exfiltrated data. Fourth, it abused a Microsoft Teams proxy that was permitted by the content security policy, giving the exfiltration channel a trusted-looking exit point. The result, per the paper, was full privilege escalation across LLM trust boundaries without any user interaction. BleepingComputer reported that Aim Labs disclosed their findings to Microsoft, which assigned the CVE-2025-32711 identifier and rated the flaw critical. Microsoft released a server-side patch in May 2026, meaning no user action was required to receive the fix. Microsoft also noted, per BleepingComputer, that there is no evidence of real-world exploitation.

The Part the Patch Does Not Fix

Here is where the story gets more interesting than a standard "patch applied, crisis averted" narrative. As Rescana's CVE analysis explains, while Microsoft's server-side remediation addressed the specific exploit path in Copilot, the underlying class of risk persists for any organization running a RAG-based AI assistant. The mechanism EchoLeak exploited, specifically prompt injection combined with context inheritance, is not a bug Microsoft introduced carelessly into one product. It is a consequence of how RAG systems are designed to work: they are built to trust the content they retrieve, because that content is supposed to be helpful context. When external content can contain adversarial instructions, that trust becomes an attack surface. Hack The Box's breakdown of the vulnerability describes the core problem clearly: Copilot is allowed to respond to content in documents and emails it retrieves, and a malicious document delivered to that context is treated as legitimate input. The model has no reliable way to distinguish between "data I was asked to summarize" and "instructions I was told to follow." This is the prompt injection problem, and it predates any specific CVE by years of academic warnings. The arXiv paper draws the broader lesson directly: the researchers outline engineering mitigations including prompt partitioning, enhanced input and output filtering, provenance-based access control, and strict content security policies. These are not patches to a single product; they are design principles for anyone building or deploying an AI assistant that touches real organizational data. The paper explicitly frames prompt injection as a practical, high-severity vulnerability class in production AI systems, not a theoretical curiosity.

What This Means

for Anyone Building or Using AI Tools Checkmarx framed EchoLeak as evidence that AI security is genuinely challenging in ways that differ from traditional software security. The problem is not just that a specific implementation had a bug. It is that the trust model AI assistants require to be useful is structurally in tension with the trust model security requires to be safe. Every RAG deployment that fetches untrusted content and passes it to an LLM shares some version of this surface. Trend Micro's analysis of the vulnerability emphasizes the preventive angle: organizations can reduce exposure by auditing what data sources their AI assistants are permitted to access, applying the principle of least privilege to AI agent permissions, monitoring Copilot outputs for anomalous retrieval patterns, and treating AI-readable documents with the same skepticism applied to executable attachments. These are learnable, applicable practices, not exotic countermeasures. For learners and builders, EchoLeak is genuinely instructive because it demonstrates that securing an AI system requires thinking about the model's trust boundaries, not just its perimeter. A firewall does not help you when the threat is inside the context window. The patch Microsoft deployed in May 2026 closes one specific door. Understanding why that door existed in the first place is what prepares you for the next one. Prompt injection as a vulnerability class is going to appear wherever AI assistants are given access to organizational data, and that category of deployment is only growing. The right question to ask of any RAG-based tool you adopt is not whether it has been patched, but whether it has been architected with adversarial content in mind.