CVE-2025-32711

Name of the Vulnerable Software and Affected Versions Microsoft 365 Copilot (affected versions not specified)

Description Microsoft 365 Copilot is susceptible to a zero-click AI exploit, identified as EchoLeak (CVE-2025-32711). This flaw allows attackers to steal sensitive data silently via email without any user interaction. The vulnerability involves AI command injection, enabling unauthorized disclosure of information over a network. The attack leverages the Retrieval-Augmented Generation (RAG) engine and bypasses existing security mechanisms. The vulnerability allows the exfiltration of secrets directly from Copilot functionality. This represents a new class of AI threat known as LLM Scope Violation. While no real-world exploitation has been reported, the vulnerability highlights significant AI security risks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.