In the last two years, enterprises have been trying to adapt large language models (LLM) to support, analytics, development and internal automation like never before.
Along with the increased acceptance AI technologyanother trend is gaining momentum—cybercriminals are exploiting the disconnect between assumptions about LLMs and their actual characteristics.
In 2025 and 2026, several independent sources highlighted the same trend: Rapid injection remains one of the most effective and widely demonstrated attack vectors against LLM systems. The OWASP LLM Top 10 (2025) list operative injection as LLM01 and identify it as the most critical category of LLM-specific vulnerabilities. second consecutive edition. OWASP’s ranking reflects the fact that LLMs still struggle to reliably separate instructions from data, leaving them vulnerable to manipulation through crafted inputs.
CrowdStrike 2026 Global Threat Report — built on frontline intelligence among more than 280 monitored adversaries — documented that in 2025, threat actors injected malicious instructions into legitimate generative AI tools at more than 90 organizations. They then used those injections to create commands that stole credentials and cryptocurrency. The report made it clear: "Notifications are the new malware." AI adversaries increased their total attack volume by 89% year-over-year with rapid injection acting as both an entry point and a power bed.
Real-world events show operational impact. In August 2024 PromptArmor’s researchers Slack disclosed an emergency injection vulnerability in AI that allows an attacker to exfiltrate data from private Slack channels to which an attacker has no access (including API keys shared in private developer channels) by placing a malicious instruction in a public channel or including it in an uploaded document.
In June 2025 Researchers at Aim Security Microsoft has disclosed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented zero-click rapid injection exploit against a production AI system, targeting Copilot 365. By sending a single crafted email, with no user interaction required, an attacker could cause Kopilot to access internal files and transmit their contents to a server controlled by the attacker.
Both weaknesses they were patched up. These events quickly highlight that injection is not a theoretical vulnerability, but a practical, recurring threat that organizations must address when deploying AI systems at scale.
Rapid injection techniques have evolved greatly over the past years, now targeting multi-agent architectures, retrieval-augmented generation (RAG) pipelines, model routers, and long-term storage capabilities.
enterprise problem: Too much trust
Businesses Place LLMs processing instructions, summarizing data, and running automated workflows, but for LLMs, it’s hard to say:
-
Ihints from data
-
Iinformation from the context
-
Ctext from metadata
-
Upurpose from metadata
This allows attackers to directly or indirectly manipulate and influence the behavior of the model.
Modern rapid injection
Cross model quick injection
Using an LLM is a common practice among businesses. Attackers disrupt the output of a particular model, knowing full well that other models will process the content. Thus, corruption spreads with all AI systems.
RAG supply chain poisoning
Aattackers create malicious information – documents, blog articles, GitHub READMEs. They then wait for this malicious information to enter enterprises’ RAG pipelines, then use it as an attack vector.
Abduction of an agent
AI agents it has evolved to the point of sending email, modifying cloud infrastructure, executing code snippets, and interacting with internal corporate systems. All it takes is an instruction to make agents behave differently in a harmful way.
Context overflow attacks
Attackers insert malicious code into a document with the help of millions of marked context windows, hoping that LLM will stumble upon it and execute it, thus overriding all previous instructions.
Memory poisoning
Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state.
Model-router manipulation
Enterprises are using more and more models of routers to choose between multiple LLMs. Attackers develop hints that force redirection to the weakest or least protected model.
Why is this important for business leaders?
Immediate injection is not a theoretical problem. It directly affects:
-
Ccustomer-facing systems (chatbots, support agents)
-
Iinternal copilots (developer tools, security assistants)
-
Aautomation workflows (ticketing, cloud operations, HR processes)
-
Dparent management (RAG pipelines, knowledge bases)
The risk is no longer limited to this "the model said something she shouldn’t have done."
In 2026, an emergency injection could:
-
Tfalsify unauthorized actions
-
Laccess sensitive information
-
Cdisrupts internal workflows
-
Manipulate analysts
-
Abusiness logic
-
Cdisrupts multi-agent systems
The attack surface has expanded dramatically.
What should businesses do now?
1. Limit model permissions
Limit what the model can do, not what it should do.
2. Segment invalid content
Treat all external information, including RAG sources, as potentially adversarial.
3. Control the start of the tool
Ask for people’s consent for high-impact actions.
4. Confirm the origin of the content
Ensure that RAG pipelines do not receive poisoned foreign contents.
5. Harden the model routers
Prevent attackers from forcing redirects to weaker models.
6. Treat LLMs as invalid components
This shift in thinking is at the heart of modern AI security.
Bottom line
Rapid injection remains the most effective way to compromise enterprise AI systems because it leverages the fundamental techniques of LLMs that interpret text. Unless organizations treat LLMs as unreliable translators rather than autonomous decision makers, rapid injection will dominate the AI threat landscape.
Julie Brunias is an AI Security Architect.
