Cisco’s AI Threat Intelligence and Security Research team analyzed attacks on vision-language models (VLMs) using pixel-level perturbations to embed malicious instructions in images. These perturbations are imperceptible to humans and OCR tools but can make hidden instructions legible to AI models or reduce their safety refusals. The research applied optimizations against open embedding models and transferred results to proprietary systems such as GPT-4o and Claude. Claude showed a 28% increase in attack success on heavily blurred images after perturbation, while GPT-4o maintained stronger safety alignment. This demonstrates that attackers can craft images that cause AI agents to execute hidden commands, bypassing current safety and filtering mechanisms.

The impact involves potential manipulation of AI vision-language models to execute hidden malicious instructions embedded in images, which humans cannot detect. This could lead to AI agents performing unauthorized actions such as data exfiltration or ignoring prior safety instructions. However, the research indicates that some models have safety filters that limit attack success, and no known exploits in the wild have been reported. The threat is primarily to AI systems that interpret images and act autonomously based on their content.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Cisco’s research highlights the need for more robust defenses in the AI model representation space to detect and mitigate such pixel-level perturbation attacks. Organizations using VLMs should monitor vendor advisories for updates and improvements in safety filters and model robustness. No specific patches or fixes are currently documented. Until official mitigations are available, caution is advised when deploying AI systems that interpret untrusted images.