Aim Security Reveals Zero-Click Flaw in AI Powered Microsoft Copilot

It has recently been reported that a breakthrough cyber threat known as EchoLeak has been documented as the first documented zero-click vulnerability that specifically targets Microsoft 365 Copilot in the enterprise. This raises important concerns regarding the evolving risks associated with AI-based enterprise tools.

In a recent report, cybersecurity firm AIM Security has discovered a vulnerability that allows threat actors to stealthily exfiltrate sensitive information from Microsoft’s intelligent assistant without any user interaction, marking a significant improvement in the sophistication of attacks that are based on artificial intelligence. 

This vulnerability, known as CVE-2025-32711, which carries a critical CVSS score of 9.3, represents an extremely serious form of injection of commands into the artificial intelligence system.
Copilot’s responses can be manipulated by an unauthorised actor, and data disclosure over a network can be forced by indirect prompt injection even when the user has not engaged or clicked on any of the prompts. 

As part of the June 2025 Patch Tuesday update, Microsoft confirmed that this issue exists and included the fix in the patch. In the update, Microsoft addressed 68 vulnerabilities in total.
An EchoLeak is a behaviour described as a “scope Violation” in large language models (LLMs). This is the result of the AI’s response logic be

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.