EchoLeak (CVE-2025-32711, CVSS 9.3): A single crafted email caused Microsoft 365 Copilot to silently exfiltrate the victim's internal files, credentials, and documents to an attacker-controlled server. Zero clicks required.

The attacker tricks the model into exposing its own system prompt. Once they know the guardrails, they know exactly how to bypass them — what's allowed, what's blocked, what tools the AI has access to.

Researchers demonstrated that injecting instructions into a document submitted for AI peer review caused the AI to write a falsely positive review — praising contributions and ignoring limitations — regardless of the paper's actual quality.

CVE-2024-5184: An attacker exploited an LLM-powered email assistant to invoke email read and send functions they had no authorization to use — accessing sensitive data and manipulating outgoing emails.

GitHub Copilot CVE-2025-53773: Injection via invisible Unicode in a code file caused Copilot to modify .vscode/settings.json to enable auto-approval of all commands, then execute arbitrary shell commands on the developer's machine. Full RCE through a coding assistant.

Freysa AI (November 2024): An AI agent explicitly programmed to never transfer funds was manipulated through prompt injection into transferring $47,000 in cryptocurrency to the attacker on the 482nd attempt.