Cybersecurity firm Tenable has unveiled significant vulnerabilities in OpenAI’s ChatGPT, uncovering seven distinct risks that could allow malicious actors to compromise user data, circumvent security measures, and embed persistent threats within the model’s architecture.
The analysis, referred to as HackedGPT, highlighted that several of the vulnerabilities identified in ChatGPT-4 have persisted into ChatGPT-5. Tenable emphasized that these weaknesses expose users to severe threats, including the risk of data exfiltration, the potential for safety system overrides, and prolonged threats stemming from indirect prompt injection techniques—where covert instructions on external sites can influence AI behavior.
According to Moshe Bernstein, Senior Research Engineer at Tenable, “These flaws expose a fundamental weakness in how large language models determine which information to consider reliable.” He articulated that while each individual flaw may seem minor, collectively, they constitute a comprehensive attack vector that spans injection, evasion, data theft, and sustained persistence.
The research identified alarming “0-click” and “1-click” attack vectors, which could be initiated through simple user actions, like posing a question or following a link that executes harmful commands. Particularly concerning is a technique termed Persistent Memory Injection, which can potentially embed covert instructions in ChatGPT’s memory, creating risks of repeated data exposure even after user sessions conclude.
Tenable underscored that the vulnerabilities take advantage of ChatGPT’s integration with browsing capabilities and memory functions, both of which interact with live web data and retain user information. This poses a risk that attackers could secretly access sensitive chat histories or connected services like Google Drive.
While OpenAI has taken steps to address certain vulnerabilities, Tenable has found that several remain unaddressed in ChatGPT-5, leaving specific risks accessible. These unresolved issues present potential exposure paths that could be exploited by attackers, posing a significant challenge for users and businesses alike.
Tenable advocates for AI developers to bolster their defenses against prompt injection by ensuring that browsing, search, and memory systems are appropriately isolated to minimize cross-context interference. Bernstein remarked, “This research isn’t solely about revealing flaws; it’s about transforming the security landscape of AI.” He emphasized the need for both individuals and organizations to operate under the assumption that AI tools can be manipulated, necessitating robust control mechanisms.
The firm calls on security teams to regard AI systems as active targets for cyberattacks, urging continuous oversight to detect any manipulation or data leakage. This proactive stance is crucial for mitigating the risks associated with evolving threats in the landscape of artificial intelligence.
In light of the identified vulnerabilities, the potential MITRE ATT&CK tactics associated with these threats include initial access via remote code execution, persistence through system memory exploitation, and techniques for privilege escalation, particularly surrounding data extraction and manipulation methodologies. Understanding these tactics can provide essential insights for organizations looking to fortify their cybersecurity measures against emerging AI-related threats.
