Security researchers at Radware have disclosed a critical vulnerability in ChatGPT dubbed ZombieAgent that allows attackers to establish persistent data exfiltration channels through prompt injection attacks. The flaw enables malicious actors to steal user data continuously across multiple sessions, even after the initial compromise, making it significantly more dangerous than typical one-time injection attacks.

The vulnerability exploits ChatGPT memory and context handling mechanisms to maintain persistence between user sessions. Once a user interacts with a malicious prompt, the attack payload embeds itself into the conversation context and continues operating in subsequent interactions. According to Radware researchers, this creates a zombie-like behavior where the compromised session keeps transmitting sensitive data without user awareness.

Technical analysis reveals that ZombieAgent leverages ChatGPT ability to remember previous conversations and user preferences. Attackers craft specially designed prompts that instruct the AI to include hidden data exfiltration commands in future responses. The attack can spread when users share compromised conversations or when the AI references infected context in new sessions.

OpenAI has acknowledged the vulnerability and deployed patches to address the prompt injection vector. Security experts recommend that users review their ChatGPT memory settings and clear conversation history if they suspect compromise. Organizations using ChatGPT for business purposes should implement additional monitoring for unusual data patterns in AI interactions.

The discovery highlights the growing security challenges facing AI assistants that maintain persistent state and memory. Researchers warn that similar vulnerabilities likely exist in other AI systems with memory capabilities, urging vendors to implement stronger isolation between user sessions and more robust input validation mechanisms.