{"id":349,"date":"2026-04-16T07:51:35","date_gmt":"2026-04-16T07:51:35","guid":{"rendered":"https:\/\/haco.club\/?p=349"},"modified":"2026-04-16T07:51:35","modified_gmt":"2026-04-16T07:51:35","slug":"sector-2025-one-agent-to-rule-them-all-how-one-malicious-agent-hijacks-a2a-system","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=349","title":{"rendered":"SecTor 2025 | One Agent to Rule Them All: How One Malicious Agent Hijacks A2A System"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"SecTor 2025 | One Agent to Rule Them All: How One Malicious Agent Hijacks A2A System\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/X_Qb_EVDQx4?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>&#8220;One Agent to Rule Them All&#8221; by cybersecurity researchers Stav Cohen and Adar Peleg.<\/p>\n\n\n\n<p><strong>Core Theme<\/strong><br>The presentation highlights a novel and severe security vulnerability in Generative AI Multi-Agent Systems (MAS). The researchers demonstrate how an attacker can use a technique called&nbsp;<strong>&#8220;AgentWare&#8221;<\/strong>&nbsp;to compromise an entire enterprise AI network simply by introducing a malicious agent into the system.<\/p>\n\n\n\n<p><strong>Key Concepts &amp; Background<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>GenAI Agents:<\/strong>\u00a0Unlike simple chatbots, AI agents can understand goals, plan steps, execute actions using internal tools (APIs, databases), and collaborate with other agents to solve complex tasks.<\/li>\n\n\n\n<li><strong>Promptware:<\/strong>\u00a0Malicious inputs (text, images, audio) designed to manipulate an AI via indirect prompt injection.<\/li>\n\n\n\n<li><strong>Google\u2019s A2A Protocol:<\/strong>\u00a0A framework developed by Google that allows different AI agents to discover and communicate with one another.<\/li>\n<\/ul>\n\n\n\n<p><strong>The Vulnerability: The &#8220;Agent Card&#8221; Exploit<\/strong><br>The researchers focus their attack on Google&#8217;s Agent-to-Agent (A2A) protocol. To connect a new external agent to a host system, the host reads an&nbsp;<strong>Agent Card<\/strong>\u2014a simple JSON file that describes the new agent\u2019s identity, skills, and instructions.<\/p>\n\n\n\n<p>The critical flaw is that&nbsp;<strong>the host agent blindly trusts the content of the Agent Card.<\/strong>&nbsp;By injecting natural language &#8220;jailbreak&#8221; commands directly into the Agent Card&#8217;s description, an attacker can create a malicious agent (&#8220;AgentWare&#8221;). When the host agent reads this card to learn how to interact with the new agent, it inadvertently executes the malicious prompt, compromising the host system.<\/p>\n\n\n\n<p><strong>Attack Scenarios Demonstrated<\/strong><br>Because the host agent has access to internal enterprise tools, the compromised host can be manipulated to perform highly damaging, untargeted attacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bias &amp; Manipulation:<\/strong>\u00a0Tricking the host agent into ignoring normal protocols to exclusively promote a specific product or service whenever asked for recommendations.<\/li>\n\n\n\n<li><strong>Data Exfiltration:<\/strong>\u00a0Instructing the host to query an internal database for sensitive information (e.g., employee details, IP addresses) and secretly send it back to the attacker\u2019s external agent.<\/li>\n\n\n\n<li><strong>Tool Abuse &amp; Sabotage:<\/strong>\u00a0Tricking the host into executing destructive actions using internal IT tools, such as repeatedly altering firewall rules or shutting down the air conditioning in a server room.<\/li>\n<\/ul>\n\n\n\n<p><strong>Why This Attack is Dangerous<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Low Barrier to Entry:<\/strong>\u00a0It requires no complex coding or &#8220;zero-day&#8221; exploits. The attack is written in plain English, and registering a malicious agent URL costs as little as $14.<\/li>\n\n\n\n<li><strong>Invisible to Standard Security:<\/strong>\u00a0Traditional cybersecurity tools (like code scanners) cannot detect this malware because it consists of natural language instructions, not malicious code.<\/li>\n\n\n\n<li><strong>Vendor Apathy:<\/strong>\u00a0When reported to Google, the company declined to issue a bug bounty or immediate fix, stating the solution is simply to &#8220;trust users not to get attacked&#8221; (i.e., users should only install trusted agents). The researchers argue this is unrealistic in a decentralized &#8220;Wild West&#8221; ecosystem where an official, vetted App Store for agents does not yet exist.<\/li>\n<\/ul>\n\n\n\n<p><strong>Takeaways &amp; Defensive Recommendations<\/strong><br>The researchers conclude that current multi-agent architectures are fundamentally insecure because they lack segregation. To protect enterprise systems, developers must implement:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Human-in-the-Loop:<\/strong>\u00a0Require human approval for any critical actions (like changing firewalls or accessing sensitive databases).<\/li>\n\n\n\n<li><strong>Hard Guardrails:<\/strong>\u00a0Do not rely solely on &#8220;soft&#8221; LLM filters. Implement strict architectural rules that prevent certain tool combinations (e.g., an agent should not be able to read a database and make an external web request in the same session).<\/li>\n\n\n\n<li><strong>Agent Sandboxing:<\/strong>\u00a0Test new, external agents in a secure, isolated sandbox before integrating them into the live enterprise network.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;One Agent to Rule Them All&#8221; by cybersecurity researchers Stav [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[35,5],"class_list":["post-349","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-llm","tag-security"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=349"}],"version-history":[{"count":1,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/349\/revisions"}],"predecessor-version":[{"id":350,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/349\/revisions\/350"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}