EchoLeak is a newly identified 'zero-click' vulnerability affecting Microsoft 365 Copilot, where attackers can exfiltrate sensitive data without user intervention. Identified as CVE-2025-32711 with a critical CVSS score of 9.3, it exploits a large language model (LLM) Scope Violation to enable indirect prompt injection. Microsoft promptly addressed the issue and included it in their June 2025 Patch Tuesday updates. Although the security flaw is serious, there is currently no evidence of it being maliciously exploited in the wild, according to the discovering cybersecurity firm, Aim Security.
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
The chains allow attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user's awareness.
Collection
[
|
...
]