Prompt injection attacks exploited over 90 firms in 2025 as AI security threats surge 89%

Prompt injection is exploiting enterprise AI's biggest design flaws by targeting agents, RAG pipelines and model routers

In the past two years, businesses have been trying to fit large language models (LLMs) into support, analytics, development, and internal automation like never before. Along with the increasing adoption of AI technology, another trend is gaining momentum -- cybercriminals are taking advantage of the disconnect between assumptions about LLMs and their actual characteristics. In 2025 and 2026, several independent sources have highlighted the same trend: Prompt injection remains one of the most impactful and widely demonstrated attack vectors against LLM systems. The OWASP LLM Top 10 (2025) lists prompt injection as LLM01, identifying it as the most critical category of LLM‑specific vulnerabilities, for the second consecutive edition. OWASP's ranking reflects the fact that LLMs still struggle to reliably separate instructions from data, making them susceptible to manipulation through crafted inputs. CrowdStrike's 2026 Global Threat Report -- built on frontline intelligence across more than 280 tracked adversaries -- documented that threat actors injected malicious prompts into legitimate generative AI tools at more than 90 organizations in 2025. They then used those injections to generate commands that stole credentials and cryptocurrency. The report stated it plainly: "Prompts are the new malware." AI-enabled adversaries increased their overall attack volume by 89% year-over-year, with prompt injection working as both an entry point and a force multiplier. Real‑world incidents illustrate the operational impact. In August 2024, researchers at PromptArmor disclosed a prompt injection vulnerability in Slack AI that allowed an attacker to exfiltrate data from private Slack channels they had no access to -- including API keys shared in private developer channels -- by placing a malicious instruction in a public channel or embedding it in an uploaded document. In June 2025, researchers at Aim Security disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click prompt injection exploit against a production AI system, targeting Microsoft 365 Copilot. By sending a single crafted email, no user interaction required, an attacker could cause Copilot to access internal files and transmit their contents to an attacker-controlled server. Both vulnerabilities were patched. These incidents underscore the fact that prompt injection is not a theoretical weakness but a practical, repeatable threat organizations must address as they deploy AI systems at scale. Prompt injection techniques have undergone major evolutions over recent years, now targeting multi-agent architecture, retrieval-augmented generation (RAG) pipelines, model routers, and long-term memory capabilities. The enterprise challenge: Too much trust Businesses deploy LLMs to process instructions, summarize information, and trigger automated workflows, but it is difficult for LLMs to tell: * Instructions from data * Information from context * Context from metadata * User intent from metadata This creates an opportunity for attackers to manipulate and influence the model's behavior, either directly or indirectly. Modern prompt injection Cross-model prompt injection LLM use is a common practice among enterprises. Attackers corrupt the output of a particular model, knowing well that other models would be processing the content. Hence, the corruption propagates through all AI systems. RAG supply chain poisoning Attackers create malicious information -- documentation, blog articles, GitHub READMEs. Then they wait until this malicious information is ingested in enterprises' RAG pipelines, then use it as an attack vector. Agent hijacking AI agents have evolved to the point where they can send emails, modify cloud infrastructure, execute code snippets, and interact with internal corporate systems. It takes just a single instruction to make agents act differently in a harmful manner. Context overflow attacks With the help of million-token context windows, attackers place malicious code within the document and hope that an LLM will stumble upon it and execute it, thus overriding all previous instructions. Memory poisoning Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state. Model‑router manipulation Enterprises increasingly use model routers to select between multiple LLMs. Attackers craft prompts that force routing to the weakest or least‑guarded model. Why this matters for business leaders Prompt injection is not a theoretical problem. It directly affects: * Customer‑facing systems (chatbots, support agents) * Internal copilots (developer tools, security assistants) * Automation workflows (ticketing, cloud operations, HR processes) * Data governance (RAG pipelines, knowledge bases) The risk is no longer limited to "the model said something it shouldn't." In 2026, prompt injection can: * Trigger unauthorized actions * Leak sensitive data * Corrupt internal workflows * Manipulate analytics * Alter business logic * Compromise multi‑agent systems The attack surface has expanded dramatically. What enterprises should do now 1. Constrain model permissions Limit what the model can do, not just what it should do. 2. Segment untrusted content Treat all external data -- including RAG sources -- as potentially hostile. 3. Monitor tool invocation Require human approval for high‑impact actions. 4. Validate content provenance Ensure RAG pipelines don't ingest poisoned external content. 5. Harden model routers Prevent attackers from forcing routing to weaker models. 6. Treat LLMs as untrusted components This mindset shift is the foundation of modern AI security. The bottom line Prompt injection remains the most effective way to compromise enterprise AI systems because it exploits the fundamental way LLMs interpret text. Until organizations treat LLMs as untrusted interpreters -- not autonomous decision‑makers -- prompt injection will continue to dominate the AI threat landscape. Julie Brunias is an AI Security Architect. Welcome to the VentureBeat community! Our guest posting program is where technical experts share insights and provide neutral, non-vested deep dives on AI, data infrastructure, cybersecurity and other cutting-edge technologies shaping the future of enterprise. Read more from our guest post program -- and check out our guidelines if you're interested in contributing an article of your own!

CrowdStrike warns prompt injection attacks hit over 90 firms in 2025

In its 2026 Global Threat Report, CrowdStrike reported prompt injection attacks at more than 90 organizations during 2025. The injected prompts generated commands that stole credentials and cryptocurrency, marking a significant shift as these prompts now function as malware. The report documented an 89% year-over-year rise in AI-enabled adversary operations. Additionally, 82% of intrusions involved no traditional malicious code, occurring as enterprises transitioned to using agents, copilots, and browser automations that access email, code, payments, and file shares. Prompt injection has maintained its top ranking as LLM01 on the OWASP Top 10 for large language model applications for two consecutive editions. OWASP highlighted that language models are unable to reliably distinguish developer instructions from untrusted text, transforming what was once a research curiosity into an operational vulnerability. Direct prompt injection takes place when a user types instructions to override a system prompt, while indirect prompt injection occurs when an attacker embeds instructions within content the model reads later, such as emails or documents. The user does not see the payload, and the agent executes the malicious commands without interaction. Two notable incidents shed light on the severity of these vulnerabilities. In August 2024, PromptArmor disclosed that a Slack AI attacker could exfiltrate data from private channels by planting instructions in public channels or uploaded files. The following year, Aim Security reported EchoLeak (CVE-2025-32711), where a crafted email directed Microsoft 365 Copilot to retrieve internal files and send them to an attacker-controlled server, achieving a CVSS score of 9.3. Both vulnerabilities were patched, but the class of attacks remains unresolved. The surface area of vulnerability has expanded to include a broader agentic stack, where agents that execute various tasks treat their context as authoritative. This development means long-term agent memory can retain and execute malicious instructions repeatedly. OpenAI acknowledged in December 2025 that prompt injection is unlikely to be fully solved, often likening it to social engineering. Anthropic's Claude Opus 4.6 system card indicated a 17.8% success rate for a single prompt injection attempt, escalating to 78.6% over 200 attempts without safeguards in place. Google reported a 53.6% success rate for prompt injection against its Gemini deployment. In December 2025, Gartner advised CISOs to block all AI browsers, citing indirect prompt injection and other risks associated with insufficient controls. Cyberhaven reported that 27.7% of organizations had at least one user with the blocked AI tool Atlas installed, a warning echoed by the UK National Cyber Security Centre and Germany's BSI. The limitations of existing defenses against prompt injection stem from the shared text channels in language models. Input validation, output filtering, and other detection methods struggle due to the inherent inability to separate authorized commands from untrusted content within the model. A separate finding indicated that 65.3% of organizations lack dedicated defenses against prompt injection, relying instead on vendor-supplied measures and policy training. Effective controls should include limiting each agent's authority, requiring human approval for critical actions, tagging retrieval sources based on sensitivity, and implementing auditing practices. As organizations consider AI deployments, security teams are encouraged to ask vendors about detection capabilities, success rates against prompt injections, adherence to OWASP recommendations, and the capacity to log exact agent actions. Given the vulnerabilities, it's critical for enterprises to assume that models may occasionally follow injected instructions, necessitating robust external controls.