TLDR: Palo Alto Networks’ Unit 42 has demonstrated a critical Agent2Agent (A2A) prompt injection vulnerability, where a malicious AI agent can manipulate another agent through multi-stage communications, leading to unauthorized actions like data disclosure or tool misuse. This highlights a significant security concern in the rapidly evolving landscape of autonomous AI agents.
A significant security vulnerability has been identified within the Agent2Agent (A2A) protocol, an open standard designed for communication and orchestration between multiple autonomous AI agents. Researchers at Palo Alto Networks’ Unit 42 successfully demonstrated a ‘prompt injection’ risk, where a malicious AI agent can compel another agent to perform harmful actions, including sensitive data disclosure or unauthorized tool utilization.
The Agent2Agent protocol facilitates stateful sessions, allowing AI agents to maintain continuous context and ‘remember’ previous interactions. Unit 42’s findings, reported on November 3, 2025, indicate that these multi-turn A2A communication sessions can be exploited by a malicious agent to inject harmful instructions into a targeted agent’s context. This manipulation can lead to the compromised agent executing actions it was not intended to, posing a substantial threat to AI system integrity and user data.
To illustrate this proof-of-concept, researchers conducted tests using two distinct scenarios. The setup involved a financial assistant agent, powered by Gemini 2.5 Pro, acting as the targeted client. This financial agent was capable of retrieving user profiles, accessing investment portfolios, and executing stock transactions. A research assistant agent, powered by Gemini 2.5 Flash, was designated as the malicious remote agent. The financial assistant would typically consult the research agent for market news, with the research agent using Google Search to gather and relay information.
Also Read:
- AI Leaders Intensify Battle Against Rising Cyber Threats, Focusing on Prompt Injection Vulnerabilities
- New Research Reveals AI Models Generate Code with Significant Security Vulnerabilities
In the first scenario, the research agent was configured with malicious intent, demonstrating how such an attack could unfold. The implications of such vulnerabilities are far-reaching, as prompt injection attacks, in general, have evolved from niche concerns to mainstream cybersecurity risks by 2025. These attacks exploit how AI models interpret input, allowing adversaries to override intended behaviors. The Agent2Agent protocol’s design, while enabling sophisticated AI interactions, also introduces new attack surfaces that require robust security measures to prevent manipulation and ensure the trustworthiness of AI systems.
