A groundbreaking new study demonstrates that teams of LLM agents can find and exploit previously unknown security flaws without human guidance, as experts warn enterprise AI assistants are wide open to a devastating “zero-click” takeover.

LAS VEGAS, NV – March 2025 – The era of autonomous AI-powered cyberattacks is no longer a theoretical future threat—it is a present-day reality. New research from the University of Illinois Urbana-Champaign has demonstrated for the first time that coordinated teams of artificial intelligence agents can successfully discover and exploit real-world, “zero-day” vulnerabilities without any prior knowledge of the flaw.

The study, titled “Teams of LLM Agents can Exploit Zero-Day Vulnerabilities,” introduces a multi-agent system called HPTSA (Hierarchical Planning and Task-Specific Agents) that marks a significant leap in the offensive capabilities of AI.

“This resolves an open question in the security community,” said lead researcher Daniel Kang. “We’ve shown that a more complex, structured AI setup can effectively exploit vulnerabilities that are completely new to the AI, moving far beyond the simple, scripted attacks of yesterday.”

How the AI Hacking Teams Work

Traditional single AI agents struggle with the long-range planning and exploration needed to find unknown vulnerabilities. They often get stuck in dead ends and cannot efficiently backtrack.

The HPTSA system overcomes this by creating a hierarchy of specialized agents:

1. A Planning Agent: Acts as a supervisor, exploring a target website to map its structure and identify potential weak points.
2. A Team Manager: Receives instructions from the planner and decides which specialized expert agent to deploy.
3. Task-Specific Expert Agents: A team of specialists (e.g., for SQL injection, Cross-Site Scripting, CSRF attacks) equipped with custom tools and documentation to exploit specific vulnerability types.

This structure allows the AI system to methodically probe a target, switch strategies when one fails, and ultimately breach systems that were previously secure.

Alarming Success Rate Against Critical Flaws

The researchers tested HPTSA on a benchmark of 14 real-world, zero-day vulnerabilities—all published after the knowledge cutoff date of the AI models used, ensuring they were truly “unknown.”

The results were stark:

• The GPT-4 powered HPTSA system successfully exploited 42% of the vulnerabilities given five attempts per target.
• It outperformed a single, non-specialized AI agent by a factor of 4.3x.
• It performed within 1.8x of an AI that was given a description of the vulnerability ahead of time—a significant milestone.
• Popular open-source vulnerability scanners like OWASP ZAP and Metasploit achieved a 0% success rate against the same targets.

The exploited vulnerabilities were not minor; they included multiple flaws classified as “Critical” (CVSS score 9.0+), which could lead to full system compromise.

The Enterprise AI Attack Surface is Already Open

While the academic study demonstrates capability, a separate, alarming presentation at Black Hat USA 2025 reveals how this threat is already poised to impact enterprises today.

In a Dark Reading interview, Michael Bargury, CTO of security firm Zenity, detailed his “AgentFlayer” research, which uncovered a critical “zero-click” exploit method targeting AI assistants integrated into enterprise environments like Microsoft Copilot, Google Gemini, and Salesforce Einstein.

“Modern AI assistants have grown arms and legs,” Bargury explained. “They are integrated with your email, documents, and calendars and can perform actions on your behalf. The problem is that an external attacker needs nothing but a user’s email address to completely take over these agents.”

This zero-click exploit means no interaction from the user is required. Once compromised, the AI agent—which users trust as an adviser—can be turned into a powerful tool for data theft, internal manipulation, and espionage.

“Attackers can use these agents to manipulate you as a human,” Bargury warned. “The trusted adviser can also guide you off a cliff.”

A Call for a New Security Paradigm

Both studies converge on a critical conclusion: the current approach to AI security is fundamentally broken.

Bargury criticized the industry’s focus on preventing “prompt injection” attacks through simple guardrails and blocklists, comparing it to the naive security of the 1990s.

“The solution is not something new. We need to assume breaches,” he stated. “Apply defense in depth. Apply the lessons we’ve learned, and stop trying to build the perimeter.”

The authors of the academic paper concur, noting that their findings suggest cybersecurity—both offensive and defensive—will rapidly accelerate. They hope their work pushes LLM providers and enterprises to think more carefully about deployment and safeguards.

The Bottom Line: Organizations adopting AI agents must immediately move from expecting vendors to “fix” the problem to creating dedicated, managed security programs focused on defense-in-depth. The agents are no longer just tools; they are a new, and highly vulnerable, attack surface.