Google has addressed a Gemini zero-click security flaw that allows silent data extraction from corporate environments using the company’s AI assistant tools. The issue, identified as a vulnerability in Gemini Enterprise, was uncovered in June 2025 by researchers at Noma Security, who immediately reported it to Google.The researchers named the flaw GeminiJack, describing it as an architectural weakness affecting both Google’s Gemini Enterprise, its suite of corporate AI assistant tools, and Vertex AI Search, which supports AI-driven search and recommendation functions on Google Cloud.According to security researchers, the issue allowed a form of indirect prompt injection. Attackers could embed malicious instructions inside everyday documents stored or shared through Gmail, Google Calendar, Google Docs, or any other Workspace application that Gemini Enterprise had permission to access. When the system interacted with the poisoned content, it could be manipulated to exfiltrate sensitive information without the target's knowledge.The defining trait of the attack was that it required no interaction from the victim. Researchers noted that exploiting Gemini zero-click behavior meant employees did not need to open links, click prompts, or override warnings. The attack also bypassed standard enterprise security controls.
How the GeminiJack Attack Chain Worked
Noma Security detailed several stages in the GeminiJack attack sequence, showing how minimal attacker effort could trigger high-impact consequences:
Content Poisoning: An attacker creates a harmless-looking Google Doc, Calendar entry, or Gmail message. Hidden inside was a directive instructing Gemini Enterprise to locate sensitive terms within authorized Workspace data and embed those results into an image URL controlled by the attacker.
Trigger: A regular employee performing a routine search could inadvertently cause the AI to fetch and process the tampered content.
AI Execution: Once retrieved, Gemini misinterpreted the hidden instructions as legitimate. The system then scanned corporate Workspace data, based on its existing access permissions, for the specified sensitive information.
Exfiltration: During its response, the AI inserted a malicious image tag. When the browser rendered that tag, it automatically transmitted the extracted data to the attacker's server using an ordinary HTTP request. This occurred without detection, sidestepping conventional defenses.
Researchers explained that the flaw existed because Gemini Enterprise’s search function relies on Retrieval-Augmented Generation (RAG). RAG enables organizations to query multiple Workspace sources through pre-configured access settings.“Organizations must pre-configure which data sources the RAG system can access,” the researchers noted. “Once configured, the system has persistent access to these data sources for all user queries.” They added that the vulnerability exploited “the trust boundary between user-controlled content in data sources and the AI model’s instruction processing.”A step-by-step proof-of-concept for GeminiJack was published on December 8.
Google’s Response and Industry Implications
Google confirmed receiving the report in August 2025 and collaborated with the researchers to resolve the issue. The company issued updates modifying how Gemini Enterprise and Vertex AI Search interact with retrieval and indexing systems. Following the fix, Vertex AI Search was fully separated from Gemini Enterprise and no longer shares the same LLM-based workflows or RAG functionality.Despite the patch, security researchers warned that similar indirect prompt-injection attacks could emerge as more organizations adopt AI systems with expansive access privileges. Traditional perimeter defenses, endpoint security products, and DLP tools, they noted, were “not designed to detect when your AI assistant becomes an exfiltration engine.”“As AI agents gain broader access to corporate data and autonomy to act on instructions, the blast radius of a single vulnerability expands exponentially,” the researchers concluded. They advised organizations to reassess trust boundaries, strengthen monitoring, and stay up to date on AI security work.
Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:
“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”
WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.
“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.
To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”
According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.
Technical details
The zero-click attack required two vulnerabilities.
For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.
An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.
In this case, an attacker could construct an image to exploit the vulnerability. Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.
The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.
What to do
The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.
Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.
While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.
If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.
We don’t just report on phone security—we provide it
Login
