EchoLeak: zero-click data theft from an AI assistant
Article summary
Quick briefing — cleaned from the original RSS feed
In June 2025, Microsoft patched a vulnerability in Microsoft 365 Copilot tracked as CVE-2025-32711 , CVSS 9.3, and named EchoLeak by the researchers who found it at Aim Labs (Aim Security). It's widely described as the first publicly documented zero-click prompt injection against a production LLM application — and the first time prompt injection was shown to cause concrete data exfiltration, not just a misbehaving response. The part worth sitting with: the victim never clicked anything. What…
1Key Takeaways
- In June 2025, Microsoft patched a vulnerability in Microsoft 365 Copilot tracked as CVE-2025-32711 , CVSS 9.3, and named EchoLeak by the researchers who found it at Aim Labs (Aim Security).
- It's widely described as the first publicly documented zero-click prompt injection against a production LLM application — and the first time prompt injection was shown to cause concrete data exfiltration, not just a misbehaving response.
- The part worth sitting with: the victim never clicked anything.
2AIWedia Score
8.7/10
High relevance — worth your attention today
Based on source trust, recency, category impact, and story depth.
3Why it matters
Coding AI shifts how fast software ships and how much human review each change needs. DEV — AI reports that in June 2025, Microsoft patched a vulnerability in Microsoft 365 Copilot tracked as CVE-2025-32711 , CVSS 9.3, and named EchoLeak by the researchers who found it at Aim Labs (Aim Security).
Explore related
Browse toolsCoding AI news
Explore curated coding ai tools on AIWedia — compare, rank, and launch from our directory.
Full story on DEV — AI
Read full articleHeadlines aggregated via RSS for discovery on AIWedia. Original content © DEV — AI. We link to the source and do not republish full articles.