Agentic AI Security Digest — June 2025

Explore the TOP Agentic AI Resources to stay informed about the most pressing risks and defenses in the field.

As autonomous agents gain new capabilities—reasoning, memory, tool use—they also introduce unique security challenges. This digest covers the latest research, real-world exploits, and AI red teaming strategies exposing how Agentic AI systems can be manipulated or compromised. From indirect prompt injections to cross-agent coordination issues, and foundational risks like MCP Security, you’ll find insights and guidance to help secure next-gen AI architectures.

Top Agentic AI Vulnerabilities

Unveiling AI Agent Vulnerabilities Part III: Data Exfiltration — Trend Micro

This research shows how multi-modal AI agents can be exploited through hidden instructions in files like Word docs or images. These indirect prompt injections can trigger data leaks or code execution without user interaction. The Pandora proof-of-concept demonstrates how easily agents can be manipulated. Stronger agent-level safeguards and real-time monitoring are urgently needed.

New attack can steal cryptocurrency by planting false memories in AI chatbots — Ars Technica

Attackers can hijack AI chatbots to send cryptocurrency by inserting crafted prompts that manipulate memory. Using the ElizaOS framework, researchers showed how false context led to real fund transfers. The attack highlights the dangers of autonomous agents handling transactions. Memory integrity is critical in financial AI systems.

Top Agentic AI Red Teaming

Agent Red-Teaming: Exposing Vulnerabilities in Autonomous Financial AI Systems — Medium

This case study details a red-teaming exercise against a Financial Research Agent (FRA), revealing vulnerabilities unique to modular, autonomous AI systems. It outlines the FRA’s architecture, attack results, and practical mitigation strategies. The findings highlight real-world risks tied to reasoning and tool-using agents.

Top Agentic AI Security Research

AGENTFUZZER: Generic Black-Box Fuzzing for Indirect Prompt Injection against LLM Agents — arXiv

AgentFuzzer is a black-box fuzzing framework designed to uncover indirect prompt injection vulnerabilities in LLM agents. Using intelligent seed generation and optimization, it achieved high success rates in attacking popular agents like GPT-4o. The study shows these attacks can redirect agent behavior in real-world environments, highlighting the urgent need for stronger defenses.

Crypto AI agents can be tricked into giving away their money, study finds — Cybernews

A Princeton study reveals that crypto agents can be manipulated through context poisoning to transfer funds to attackers. The researchers successfully exploited ElizaOS on both testnet and mainnet. This shows the danger of trusting stored interaction history. Secure context validation is essential for crypto-focused GenAI agents.

The Hidden Dangers of Browsing AI Agents — arXiv

Browsing agents using LLMs are vulnerable to prompt injection, credential theft, and command hijacking. A white-box analysis of Browser Use revealed critical flaws in how these agents handle untrusted web content. Researchers propose input sanitization, component isolation, and formal analyzers as mitigations. These agents need layered defenses across all execution points.

Top Agentic AI threat model

Securing Agentic AI: A Comprehensive Threat Model and Mitigation Framework for Generative AI Agents — arXiv

This paper proposes a dedicated threat model for GenAI agents, emphasizing risks tied to autonomy, memory, and reasoning. It introduces two frameworks—ATFAA and SHIELD—to map and mitigate security threats unique to agents. The authors argue that without agent-specific defenses, enterprises risk exposure to novel, hard-to-detect attacks.

AI Agents Are Here. So Are the Threats — Unit 42

This article explores the security risks of agentic applications—programs powered by autonomous AI agents that act toward specific goals. Researchers tested nine real-world attack scenarios, including credential theft, remote code execution, and tool misuse, across two agent frameworks: CrewAI and AutoGen. The results show that most vulnerabilities stem from design flaws and misconfigurations, not the frameworks themselves.

Top Agentic AI Security Framework / Guide

CSA Agentic AI Red Teaming Guide — Cloud Security Alliance

Top Agentic AI Defense

Securing Amazon Bedrock Agents: A guide to safeguarding against indirect prompt injections — AWS Machine Learning Blog

AWS outlines security strategies for defending Amazon Bedrock Agents against indirect prompt injection attacks. These attacks embed hidden instructions in external content that AI agents later process and act on. The article emphasizes best practices for keeping enterprise AI applications secure and trustworthy.

Securing the Model Context Protocol: Building a safer agentic future on Windows — Windows Experience Blog

Microsoft presents MCP as a new standard for agent-tool communication in Windows, while also detailing the security challenges it brings. The post outlines major risks like cross-prompt injection, credential leakage, and tool poisoning. It proposes early best practices to secure this critical layer in agentic computing.

Comparing MCP, A2A, and AGNTCY in the AI Agent Ecosystem — Medium

This article compares three emerging standards for secure agent communication: Anthropic’s Model Context Protocol (MCP), Google’s Agent2Agent (A2A), and the AGNTCY collective. As AI systems evolve into networks of specialized agents, seamless and secure collaboration becomes a critical challenge. MCP connects models to tools and data, A2A enables direct agent-to-agent messaging, and AGNTCY envisions a full infrastructure stack. The comparison highlights how each approach tackles interoperability, trust, and future-scale AI coordination.

Top MCP Security

MCP Security Digest — Adversa AI

Subscribe for updates

Stay up to date with what is happening! Plus, get a first look at news, noteworthy research, and the worst attacks on AI—delivered right to your inbox.