Old Vulnerabilities Get a Second Life as AI Attack Surface Expands

Legacy weaknesses - injection flaws, broken access controls, insecure deserialization, exposed secrets - are resurfacing inside AI systems. The same classes of bugs that have plagued web applications for two decades now show up in LLM pipelines, vector databases, agent frameworks, and the glue code wiring models to production data. Wrapping a model around an old API does not neutralize the API’s flaws; it amplifies them by giving an unpredictable, instruction-following intermediary direct access to the call.

Prompt injection acts as a force multiplier. An attacker who can plant text in a document, ticket, or webpage that an agent later ingests can trigger downstream SQL injection, SSRF, or privilege escalation through tools the model is permitted to call. The model becomes a confused deputy with shell access. Familiar mitigations - input validation, least privilege, output encoding, network segmentation - remain the right controls, but they now have to be applied at the boundary between the model and every tool, retrieval source, and credential it touches.

The practical takeaway: AI security is mostly application security with a faster blast radius. Teams shipping AI features inherit the full back catalog of OWASP issues plus a new class of natural-language attack vectors, and treating the LLM as a trusted component is the fastest way to turn a known bug into an incident.