XM Cyber's Zur Ulianitzky has modeled an attack path that hijacks an AI agent's knowledge base without ever touching the agent itself, instead chaining weaknesses in the legacy infrastructure it trusts. The analysis was published on June 22, 2026, as "Stop Your Legacy Infrastructure from Hijacking Your AI Agents."
Modeled Enterprise Attack Path · AI Agent Security
They Don't Hack the AI — They Hack the Old Systems It Trusts
Instead of breaking the model, prompt guards, or agent framework, attackers chain an unpatched Tomcat flaw, Active Directory misconfigurations, and stolen AWS keys to reach the S3 bucket an AI agent uses as its RAG knowledge base.
TARGET
0
direct attacks on the AI model — the layer is bypassed entirely
CHAIN
3
trusted legacy layers chained: Tomcat → AD → AWS S3
BLAST RADIUS
Amplified
agent's broad access widens the impact of every stolen key
The Attack Chain — Across Trust Boundaries
STEP 1 · INITIAL FOOTHOLD
Apache Tomcat
Unpatched RCE flaw in a legacy Java web app opens the door.
→
STEP 2 · MOVE & ESCALATE
Active Directory
Kerberoasting, unconstrained delegation, weak service-account perms.
→
STEP 3 · REACH THE DATA
AWS S3 (RAG)
Stolen IAM keys + over-permissioning reach the agent's knowledge base.
WHY THE BLAST RADIUS GROWS
Permission scope: scoped vs. over-broad
s3:GetObject
least privilege
Design around scope of impact , not intended use — broad grants multiply what one stolen key can do.
DEFENSIVE PLAYBOOK
Scope policies to s3:GetObject , add explicit denies
MCP gateways broker access — no direct credentials to agents
Sandboxes for tool execution
Human-in-the-loop on sensitive actions
Monitor for anomalous tool chains
The Shift
AI agents are high-privilege "users" that reason autonomously and wield APIs, code execution, and data retrieval with broad permissions.
As coding agents and enterprise copilots proliferate, attackers are moving away from jailbreaks and prompt attacks on the model — toward classic lateral movement against the infrastructure trust boundaries the agent depends on.
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…