Cisco research exposes how open-weight AI models can be easily manipulated, posing serious security risks.
Key Takeaways:
Cisco has revealed critical security flaws in several leading open-weight large language models (LLMs), warning that cybercriminals can exploit them with only a few precisely crafted prompts. These vulnerabilities expose AI systems to manipulation, misinformation, and potential data breaches.
Specifically, Cisco’s researchers performed a comparative security assessment of eight open-weight large language models (LLMs) using Cisco’s AI Validation platform. They evaluated models including offerings from Alibaba, DeepSeek, Google, Meta, Microsoft, Mistral, OpenAI, and Zhipu AI.
The researchers found that publicly available AI models are highly vulnerable to adversarial manipulation. Multi-turn adversarial attacks have proven to be significantly more effective than single-turn attempts, with success rates ranging from two to ten times higher. Multi-turn adversarial attacks involve manipulating AI models through a series of prompts in a conversation to produce harmful or unintended responses. The Mistral Large-2 model exhibited the highest vulnerability, with a 92.78% success rate in multi-turn manipulation scenarios.
Additionally, models with capability-first approaches (such as Meta and Alibaba) showed larger gaps between single- and multi-turn vulnerabilities. Moreover, models with stronger safety alignment (like Google and OpenAI) had more balanced security profiles.

According to Cisco, high-risk threats such as misinformation, manipulation, and malicious code generation were consistently successful across various models. However, the effectiveness of specific attack methods varied depending on the model’s design and defenses.
Researchers warned that the vulnerabilities found in these models could lead to serious consequences in real-world applications, especially concerning the protection of sensitive data and user privacy.
“This could translate into real-world threats, including risks of sensitive data exfiltration, content manipulation leading to compromise of integrity of data and information, ethical breaches through biased outputs, and even operational disruptions in integrated systems like chatbots or decision-support tools,” researchers explained.
To protect against vulnerabilities in open-weight AI models, organizations should conduct adversarial testing, regularly probing models with challenging prompts to identify weaknesses before deployment. Context-aware guardrails should also be in place to ensure safe responses across all interactions, particularly in multi-turn conversations where risks are higher.
Additionally, regular red teaming exercises can simulate real-world attacks and reveal how models behave under pressure. Continuous real-time monitoring helps detect and address unsafe behavior promptly, and organizations should select models based not only on performance but also on security posture and alignment.