Over the past two years, companies have attempted to adapt large language models (LLMs) to support, analysis, development, and internal automation like never before.
Along with the increasing adoption of artificial intelligence technologyAnother trend is gaining momentum: cybercriminals are taking advantage of the disconnect between assumptions about LLMs and their actual characteristics.
In 2025 and 2026, several independent sources have highlighted the same trend: fast injection remains one of the most impactful and widely demonstrated attack vectors against LLM systems. He OWASP LLM Top 10 (2025) lists fast injection as LLM01, identifying it as the most critical category of LLM-specific vulnerabilities, for the second consecutive edition. The OWASP classification reflects the fact that LLMs still struggle to reliably separate instructions from data, making them susceptible to manipulation by crafted inputs.
CrowdStrike 2026 Global Threats Report (based on top-line intelligence from more than 280 tracked adversaries) documented that threat actors injected malicious messages into legitimate generative AI tools in more than 90 organizations in 2025. They then used those injections to generate commands that stole credentials and cryptocurrency. The report said it clearly: "Notices are the new malware." AI-enabled adversaries increased their overall attack volume by 89% year over year, with rapid injection serving as an entry point and force multiplier.
Real-world incidents illustrate the operational impact. In August 2024, PromptArmor researchers revealed a rapid injection vulnerability in Slack AI that allowed an attacker to exfiltrate data from private Slack channels to which they did not have access, including API keys shared in private developer channels, by placing a malicious instruction in a public channel or embedding it in an uploaded document.
In June 2025, Aim Security researchers revealed EchoLeak (CVE-2025-32711, CVSS 9.3), the first documented clickless rapid injection exploit against a production AI system, targeting Microsoft 365 Copilot. By sending a single crafted email, with no user interaction required, an attacker could cause Copilot to access internal files and transmit their contents to a server controlled by the attacker.
Both vulnerabilities were patched. These incidents underscore the fact that rapid injection is not a theoretical weakness, but rather a practical and repeatable threat that organizations must address when deploying AI systems at scale.
Fast injection techniques have undergone significant evolutions in recent years, now targeting multi-agent architectures, recovery augmented generation (RAG) pipelines, model routers, and long-term memory capabilities.
the eBusiness challenge: too much trust
Companies implement LLM process instructions, summarize information and activate automated workflows, but it is difficult for LLMs to know:
-
Yoinstructions from data
-
Yocontext information
-
dometadata ontext
-
Youserver intent from metadata
This creates an opportunity for attackers to manipulate and influence the behavior of the model, either directly or indirectly.
Modern rapid injection
Quick injection between models
The use of LLM is a common practice among companies. Attackers corrupt the output of a particular model, knowing that other models would be processing the content. Therefore, corruption spreads through all AI systems.
RAG Supply Chain Poisoning
TOAttackers create malicious information: documentation, blog articles, GitHub README files. They then wait until this malicious information is ingested into companies’ RAG channels and then use it as an attack vector.
Kidnapping of agents
AI Agents They have evolved to the point where they can send emails, modify cloud infrastructure, run code snippets, and interact with internal corporate systems. A single instruction is enough for agents to act in a different and harmful way.
Context overflow attacks
With the help of context windows of millions of tokens, attackers place malicious code inside the document and wait for an LLM to find and execute it, thus overriding all previous instructions.
Memory poisoning
Due to the implementation of long-term memory in LLMs, attackers can inject instructions that permanently reconfigure their state.
Router-model manipulation
Enterprises are increasingly using model routers to select from various LLMs. Attackers create cues that force them to target the weakest or least protected model.
Why this is important for business leaders
Rapid injection is not a theoretical problem. Directly affects:
-
doCustomer-facing systems (chatbots, support agents)
-
Yointernal co-pilots (development tools, security assistants)
-
TOautomation workflows (ticketing, cloud operations, HR processes)
-
ddata governance (RAG pipelines, knowledge bases)
The risk is no longer limited to "The model said something he shouldn’t have."
In 2026, immediate injection can:
-
tunauthorized actions of the surveyor
-
lconfidential data
-
doCorrupt internal workflows
-
METROmanipulate analysis
-
TOfilter business logic
-
docompromise multi-agent systems
The attack surface has been expanded dramatically.
What should companies do now?
1. Restrict model permissions.
Limit what the model can do, not just what it should do.
2. Segment untrusted content
Treat all external data, including RAG sources, as potentially hostile.
3. Monitor tool invocation
Require human approval for high-impact actions.
4. Validate the origin of the content
Ensure that RAG pipelines do not ingest poisoned external content.
5. Harden Model Routers
Prevent attackers from forcing routing to weaker models.
6. Treat LLMs as untrusted components
This shift in mindset is the foundation of modern AI security.
The final result
Fast injection remains the most effective way to compromise enterprise AI systems because it exploits the fundamental way LLMs interpret text. Until organizations treat LLMs as untrusted interpreters, not autonomous decision makers, rapid injection will continue to dominate the AI threat landscape.
Julie Brunias is an AI security architect.
