AI Agents Under Fire: Memory Poisoning and the Rise of Persistent Prompt Injection
Executive Summary
In 2024, security researchers uncovered a novel AI/ML security incident where AI agents' long-term memory storage was compromised via persistent indirect prompt injection. Adversaries managed to embed malicious instructions within normal AI inputs; these poisoned prompts were subsequently retained by the AI's memory module. When later queries accessed this memory, the injected instructions could exfiltrate conversation history or impact future responses, creating a stealthy, long-term threat. The breach highlighted how modern agentic AI’s tendency to remember user input presents an unforeseen risk vector, with potential for data leakage and manipulation of AI-driven workflows.
This incident signals a rising trend: as enterprises integrate AI agents and persistent memory, attackers are quickly adapting with prompt-based exploit techniques that subvert traditional security controls. The risk of covert data exfiltration and ongoing manipulation through AI memory will become a central compliance and governance issue in highly regulated industries.
Why This Matters Now
AI-powered agents with persistent memory are being rapidly adopted across industries, yet most organizations lack visibility and controls over how data is stored and recalled within these agents. Persistent prompt injection exploits this blind spot, making it critical for security leaders to address AI memory risks before adversaries widely weaponize such techniques.
Attack Path Analysis
The attack began when a malicious prompt was injected into an AI agent, compromising its memory and underlying system. The attacker leveraged this to potentially gain higher logical influence over the AI agent’s privileged behaviors. They maneuvered laterally by persisting injected behaviors across different memory objects or workloads. Subsequently, the agent established covert command and control via outbound communications. Sensitive historical data was then exfiltrated through allowed egress channels. Ultimately, the attacker achieved impact by maintaining persistence in the AI’s long-term memory, leading to business and integrity risks.
Kill Chain Progression
Initial Compromise
Description
An attacker achieved initial access by injecting a malicious prompt into the AI agent’s input stream, planting persistent behavior in long-term memory.
Related CVEs
CVE-2025-6965
CVSS 9A memory corruption vulnerability in the AI agent's processing of external content allows attackers to execute arbitrary code via indirect prompt injection.
Affected Products:
Google Big Sleep AI Agent – < 3.50.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Command and Scripting Interpreter: Windows Command Shell
Event Triggered Execution
Data Encoding
Obfuscated Files or Information
Masquerading
Input Capture
Email Collection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored cardholder data
Control ID: 3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT risk management framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Data Security and Classification
Control ID: Data Pillar – Data Security and Classification
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
AI memory poisoning threatens customer data confidentiality and regulatory compliance, requiring enhanced segmentation and threat detection for conversational banking systems.
Health Care / Life Sciences
Persistent AI agent vulnerabilities risk patient information exfiltration through poisoned memory, demanding zero trust controls and encrypted communication channels.
Information Technology/IT
AI/ML security threats target autonomous systems and agentic AI platforms, necessitating cloud-native security fabric and real-time anomaly detection capabilities.
Government Administration
Indirect prompt injection attacks compromise sensitive government AI systems, requiring multicloud visibility and robust egress security policy enforcement mechanisms.
Sources
- When AI Remembers Too Much – Persistent Behaviors in Agents’ Memoryhttps://unit42.paloaltonetworks.com/indirect-prompt-injection-poisons-ai-longterm-memory/Verified
- Google Says AI Agent Thwarted Exploitation of Critical Vulnerabilityhttps://www.securityweek.com/google-says-ai-agent-thwarted-exploitation-of-critical-vulnerability/Verified
- How Microsoft defends against indirect prompt injection attackshttps://www.microsoft.com/en-us/msrc/blog/2025/07/how-microsoft-defends-against-indirect-prompt-injection-attacks/Verified
- Prompt injection attacks might 'never be properly mitigated' UK NCSC warnshttps://www.techradar.com/pro/security/prompt-injection-attacks-might-never-be-properly-mitigated-uk-ncsc-warnsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and CNSF controls such as segmented networking, workload microsegmentation, inline threat detection, and egress enforcement would have detected or blocked adversary persistence and unauthorized data exfiltration by limiting lateral movement and monitoring outbound flows from compromised AI agents.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection of AI interactions would alert on suspicious prompt structures and agentic behavior risks.
Control: Zero Trust Segmentation
Mitigation: Restricts AI agent access to only authorized resources, reducing the blast radius.
Control: East-West Traffic Security
Mitigation: Detects and blocks anomalous internal traffic that signals lateral spread.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous outbound C2 traffic is detected and alerted for response.
Control: Egress Security & Policy Enforcement
Mitigation: Sensitive data exfiltration by compromised agent is blocked or restricted.
Limits the persistence and spread of malicious AI behaviors within Kubernetes environments.
Impact at a Glance
Affected Business Functions
- Customer Support
- Data Analysis
- Automated Reporting
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data due to AI agent manipulation via indirect prompt injection.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and least privilege access for all AI agents and related workloads.
- • Deploy inline CNSF controls to monitor and restrict suspicious AI prompt and memory manipulation.
- • Implement east-west and egress policy enforcement to prevent lateral movement and unauthorized data exfiltration.
- • Strengthen threat detection and anomaly response for AI/ML services to rapidly identify malicious persistence.
- • Extend Kubernetes and cloud workload microsegmentation to reduce the impact of compromised agent behavior.
