**Google Patches Zero-Click Vulnerability in Gemini Enterprise Exposing Corporate Data**
In June 2025, security researchers at Noma Security uncovered a critical zero-click vulnerability in Google Gemini Enterprise, dubbed GeminiJack, which could enable attackers to exfiltrate sensitive corporate data without user interaction. The flaw, reported to Google the same day, affected Gemini Enterprise—Google’s suite of AI-powered workplace tools—and Vertex AI Search, a Google Cloud platform for AI-driven search and recommendations.
The vulnerability stemmed from an indirect prompt injection weakness in Gemini’s Retrieval-Augmented Generation (RAG) architecture, which allows the AI to query across multiple Google Workspace data sources (Gmail, Google Docs, Calendar, etc.). Attackers could embed malicious instructions in seemingly benign documents, emails, or calendar events. When a legitimate employee performed a routine search, the AI would unknowingly process these instructions, scan authorized Workspace data for sensitive terms, and transmit the results to an attacker-controlled server via an external image URL—all while bypassing traditional security controls.
The attack required no user interaction, making it particularly stealthy. Google confirmed the report in August 2025 and collaborated with Noma Security to remediate the issue. By December, Google had deployed updates that separated Vertex AI Search from Gemini Enterprise, eliminating shared LLM workflows and RAG capabilities. However, Noma Security warned that such vulnerabilities may persist as AI systems gain broader access to corporate data, outpacing the detection capabilities of conventional security tools.
The UK’s National Cyber Security Centre (NCSC) has since released guidance to help organizations mitigate prompt injection risks, underscoring the growing threat posed by AI-driven data exfiltration. The incident highlights the expanding attack surface introduced by corporate AI adoption, where a single flaw can expose vast amounts of sensitive information.
Source: https://www.infosecurity-magazine.com/news/google-fixes-gemini-enterprise-flaw/
Noma Security cybersecurity rating report: https://www.rankiteo.com/company/noma-security
"id": "NOM1765375786",
"linkid": "noma-security",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Corporate users of Google '
'Gemini Enterprise and Vertex AI '
'Search',
'industry': 'Technology, Cloud Services, AI',
'location': 'Global',
'name': 'Google',
'size': 'Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Malicious instructions embedded in Google Workspace '
'documents (Google Docs, Gmail, Google Calendar)',
'data_breach': {'data_exfiltration': 'Yes (via external image URLs)',
'file_types_exposed': 'Google Docs, Gmail, Google Calendar '
'events',
'sensitivity_of_data': 'High (corporate data)',
'type_of_data_compromised': 'Sensitive corporate information'},
'date_detected': '2025-06',
'date_publicly_disclosed': '2025-12-08',
'description': 'Google patched a zero-click vulnerability in Gemini '
'Enterprise that could lead to corporate data leaks. The flaw, '
'dubbed ‘GeminiJack’, is an architectural weakness in Google '
'Gemini Enterprise and Vertex AI Search, allowing indirect '
'prompt injection attacks to exfiltrate sensitive corporate '
'information without user interaction or triggering security '
'controls. The attack involves embedding hidden instructions '
'in documents, emails, or calendar events, which Gemini '
'Enterprise processes during routine searches, leading to data '
'exfiltration via external image URLs.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data leaks',
'data_compromised': 'Sensitive corporate information',
'operational_impact': 'Potential unauthorized data exfiltration '
'without detection by traditional security '
'tools',
'systems_affected': 'Google Gemini Enterprise, Vertex AI Search, '
'Google Workspace (Gmail, Google Docs, Google '
'Calendar)'},
'investigation_status': 'Resolved (patches deployed)',
'lessons_learned': 'Traditional security controls (perimeter defenses, '
'endpoint protection, DLP) are insufficient to detect '
'AI-driven exfiltration. Organizations must implement '
'robust monitoring and consider trust boundaries when '
'deploying AI systems with access to sensitive data.',
'post_incident_analysis': {'corrective_actions': 'Separation of Vertex AI '
'Search from Gemini '
'Enterprise, updates to RAG '
'workflows, changes to '
'retrieval and indexing '
'systems',
'root_causes': 'Trust boundary exploitation in RAG '
'architecture, lack of detection '
'for AI-driven exfiltration'},
'recommendations': 'Organizations should: (1) Carefully configure RAG system '
'data sources, (2) Implement enhanced monitoring for '
'AI-driven data access, (3) Stay informed about emerging '
'AI security research, (4) Follow NCSC guidance on '
'mitigating prompt injection attacks.',
'references': [{'date_accessed': '2025-12-08',
'source': 'Noma Security Report on GeminiJack'},
{'source': 'UK National Cyber Security Centre (NCSC) Guidance '
'on Prompt Injection Attacks'}],
'response': {'containment_measures': 'Separation of Vertex AI Search from '
'Gemini Enterprise, changes to RAG '
'workflows',
'remediation_measures': 'Updates to how Gemini Enterprise and '
'Vertex AI Search interact with '
'retrieval and indexing systems',
'third_party_assistance': 'Noma Security (researchers)'},
'title': 'GeminiJack: Zero-Click Vulnerability in Google Gemini Enterprise '
'Leading to Corporate Data Leaks',
'type': 'Zero-Click Vulnerability, Indirect Prompt Injection',
'vulnerability_exploited': 'Architectural weakness in Google Gemini '
'Enterprise and Vertex AI Search (RAG-based trust '
'boundary exploitation)'}