A research team at Xidian University has published an attack — CrossMPI — that perturbs an image invisibly to humans and, without changing a single character of the user's text prompt, causes a vision-language model to execute the attacker's task. Average success rate across six production-style models: 66.36%. None of the five defenses the researchers tested fully eliminated it. [1]
If you are deploying large vision-language models (LVLMs) — or if any of your SaaS vendors are serving AI features that process images alongside text — you should read this paper carefully. More importantly, you should understand why the controls you already have are structurally blind to this attack class, and what a framework with circuit-level visibility can do that yours cannot.
What CrossMPI Is
Traditional prompt injection is a text attack. An attacker crafts a text string — in a document, a retrieved chunk, a user message — that hijacks the model's behavior. The defenses are correspondingly text-centric: input classifiers, output filters, constitutional AI fine-tuning, guardrails that look for adversarial phrasing patterns.
CrossMPI is different. The adversarial payload lives entirely in the image. The attack works by computing a pixel-space perturbation — changes to specific pixel values that are imperceptible to human viewers — that activates a hidden instruction once the image is processed by the model's vision encoder. The text prompt from the user is completely clean. The model receives a legitimate question from a legitimate user, but the image it is also processing carries a hidden directive.
The attack targets the model's multimodal fusion layers — the internal components where visual token representations and textual token representations are merged into a shared semantic space. In the architectures Yang et al. tested, these fusion-critical layers are approximately layers 12 through 18, depending on model architecture. When the perturbed image is processed through these layers, it activates representations that produce the attacker's intended behavior, not the user's intended task.
The result: a model that appears to be answering the user correctly, from the output monitor's perspective, while actually executing the attacker's task.
The Numbers
The paper tested six LVLMs in a black-box setting — meaning the attackers had no access to model weights or gradients, only the ability to query the model and observe outputs. This is the threat model that applies to virtually every enterprise deployment.
Average attack success rate across six models: 66.36%.
The researchers tested five defense categories: adversarial training, input preprocessing, prompt-based defenses, detection classifiers, and output filtering. None fully eliminated the attack. The best-performing defense category reduced success rates but did not bring them to negligible levels under all configurations.
To put the 66.36% number in CIRCUIT terms: the Robustness KPI floor for High-tier models is ≥ 90%. A model operating at 34% robustness against this attack class — which is what the CrossMPI results imply for an unprotected deployment — fails the High-tier floor by a factor of 2.6×. CIRCUIT does not allow deployment of such a model at High tier without compensating controls and a documented remediation path.
Why Your Current Controls Miss It
Let me be specific about the failure modes, because "your controls miss it" is a claim that deserves precision.
Output monitoring is looking for anomalous output patterns — content that violates policy, PII leakage, harmful completions, behavioral guardrail triggers. CrossMPI produces output that is contextually coherent and responsive to the injected instruction. The model is not hallucinating; it is executing a task. From the output monitor's perspective, this looks like a successful, helpful model response. There is no signal to alert on.
Input content filtering scans the text prompt. The text prompt is clean. There are image preprocessing steps that can detect adversarial perturbations in images — JPEG compression, input smoothing, randomized cropping — but the paper demonstrated that CrossMPI remains partially effective against these defenses, and they are not universally deployed in production inference pipelines.
Vendor attestation documents what the vendor has evaluated and what their safety posture was at the time of the attestation. A vendor that has not published SAE analysis of its fusion layers — or that cannot name which layers in its architecture are fusion-critical and what the activation geometry looks like for adversarially perturbed images — cannot provide the evidence needed to assess CrossMPI exposure. The attestation is not necessarily false; it is incomplete by structural necessity.
Behavioral red teaming without internal model access probes the model from the outside using text inputs. CrossMPI requires pixel-space adversarial construction against the visual input pipeline. A behavioral red team that cannot observe fusion-layer activations cannot find this attack class through text-only probing. The failure mode is architecturally invisible from the input/output surface.
This is not a failure of your security program. These controls were designed for text-based systems and text-based threats. The threat surface has expanded; the control surface has not.
What CIRCUIT Does About It
CIRCUIT's six KPIs and its vendor transparency requirements create the governance surface that this attack class requires. Let me map each directly.
Monosemanticity
CrossMPI exploits polysemantic fusion features — internal representations that activate for multiple conceptually distinct inputs, including both legitimate visual concepts and adversarially constructed pixel patterns. When fusion-layer features are polysemantic, the adversarial signal hides inside a feature that also activates for normal inputs. Anomaly detection is impossible because the feature activation profile for a CrossMPI-perturbed image overlaps with the activation profile for a clean image carrying the same semantic content.
A model with monosemantic fusion features has discrete, labeled representations for each visual concept. A specific feature that activates for "document attached" does not also activate for "execute this instruction." When a perturbed image causes anomalous activation — a visual feature activating in a semantic context where it should not appear — that anomaly is directly observable in the feature monitoring dashboard.
CIRCUIT requires evidence of feature labeling in the monitored circuit. An LVLM that cannot provide fusion-layer feature dictionaries cannot claim IMS 3 or above. It carries a higher Circuit Risk Score reflecting its opacity to this attack class. That score drives the approval ladder.
Robustness
The Robustness KPI measures the fraction of adversarial perturbation attempts under which the identified circuit maintains its structural integrity and the safety-relevant features continue to activate as expected.
Yang et al.'s 66.36% black-box success rate means an unprotected LVLM operates at approximately 34% robustness against this specific attack class. CIRCUIT's High-tier Robustness floor is 90%. A model measured at 34% fails this floor definitively.
The practical consequence: the CRS computation for a model with this Robustness failure at High tier is computed using the actual measured IMS, not an optimistic estimate. If the model cannot produce robustness evidence meeting the floor, its IMS evidence for that KPI is incomplete, and the CRS reflects the deficit. The approval ladder does not bend for a vendor's assurance that the model is "generally robust."
ACFR — Adversarial Circuit Failure Rate
An LVLM exposed to CrossMPI-class attacks in a production environment will produce P1 security incidents when the injection succeeds — automated actions taken on behalf of an attacker, data exfiltration, privilege escalation in an agentic workflow. Each of these incidents increments the ACFR count for that model in that quarter.
ACFR is a count, not a ratio — not normalized by traffic. If ACFR ≥ 1 in any model-quarter, Rule 7 mandates: a Red-band transition, a mandatory governance review within 30 days, and — if ACFR is not declining — Purple-band escalation within the 180-day remediation clock. The High-tier expectation is 0; one successful bypass is the trigger.
This is the ACFR mechanism doing what it is designed to do: creating an automatic trip-wire for attack classes that evade behavioral monitoring but produce detectable production consequences. The model does not need to be known-vulnerable at deployment for this to work. It needs to be monitored in production with ACFR tracked, so that when an attack succeeds, the governance machinery engages within 30 days rather than sitting undetected for quarters.
Circuit Size and Edge Count
Attribution graph evidence at IMS 4 reveals the hidden-state pathway that CrossMPI activates. When a perturbed image is processed, the fusion-layer activation pattern differs from the clean-image baseline. Attribution graph analysis of this difference identifies the specific features and connections carrying the injected signal from the image token stream into the shared semantic space.
If this pathway involves more than 100 nodes or 500 edges — as is common for complex cross-modal routing in current architectures — the model fails the High-tier KPI floors on circuit complexity. This indicates that the attack surface is too large to monitor without automated tooling. A circuit with 800 features and 4,000 edges cannot be reviewed by a security engineer in any reasonable time window. The KPI floors are not arbitrary; they are calibrated to the upper bound of what a single reviewer can meaningfully audit.
The Registry Entry That Would Have Helped
CIRCUIT's vendor transparency section (registry section 5) asks vendors 29 questions across four domains. Questions 9, 10, and 12 are the relevant ones for CrossMPI:
- Q9 (SAE coverage): Have sparse autoencoders been trained on any layer of the model? If yes, is the feature dictionary available under NDA or openly? — A vendor with fusion-layer SAE coverage can answer this specifically: "SAEs trained on all layers including fusion layers 12–18; feature dictionary available under NDA; fusion-layer monosemanticity 0.71 on multimodal concepts."
- Q10 (Attribution graphs for safety behaviors): Have attribution graphs or circuits been identified for safety-relevant behaviors? — A vendor who has characterized the fusion-layer architecture can describe the multimodal injection resistance circuit and provide ablation study evidence.
- Q12 (Robustness under adversarial perturbation): What is your model's reported robustness under adversarial context perturbation? — A vendor who has tested against image-only injection can provide a specific robustness score against CrossMPI-class attacks on a held-out test set.
A vendor unable to answer these questions at the Acceptable level — with specific artifacts, named methodologies, and engineering-level sign-off — triggers Rule 8. The non-response or insufficient response is documented in the registry. CRS computes at IMS 0 until a satisfactory response is received. The vendor's silence becomes a quantified risk number in your governance program.
This is how the questionnaire works. It does not rely on the vendor volunteering information. It creates a documented record of what the vendor could and could not answer, and it converts that record into a computable CRS consequence.
What to Do Right Now
If you are deploying LVLMs today, or procuring SaaS products that process images with AI:
- Classify these systems under CIRCUIT. Every LVLM that processes user-supplied or third-party images in a High- or Critical-tier workflow needs a registry entry. The IMS is almost certainly 0 or 1 for Category B and C systems without explicit fusion-layer interpretability evidence.
- Send Questions 9, 10, and 12 from the vendor questionnaire immediately, with a 60-day response deadline per Rule 8. The answers — or the silence — will tell you more about the vendor's actual security posture than any SOC 2 certificate.
- Reposition workflows. Any LVLM processing images in an automated or irreversible consequence context should be repositioned to advisory-only (DCW 1) until fusion-layer robustness evidence is on file. The CRS reduction from Catastrophic to Advisory on a Critical-tier system with IMS 1 is from 100 (Purple, blocked) to 20 (Amber, operational with governance review). This is the workflow-repositioning lever, and it is available to you right now without waiting for vendor cooperation.
- Add CrossMPI to your circuit-aware red team scope. Rule 6 requires circuit-aware red teaming — not behavioral-only. For any LVLM at High or Critical tier, the next red team engagement should include MITRE ATLAS technique AML.T0043 (Craft Adversarial Data) targeting the visual input pipeline specifically.
The Larger Point
CrossMPI is not an exotic research result that will never reach production. It is a published attack with a 66% success rate against systems that organizations are deploying today. The research community has given enterprise security functions four months' notice before this technique becomes operational in threat actor toolkits. That window is shorter than most enterprise procurement cycles.
The reason CIRCUIT's IMS framework, KPI floors, and vendor questionnaire exist is precisely for situations like this. An attack class that is invisible to output monitoring, invisible to behavioral red teaming, and invisible to vendor attestation is only catchable at the circuit level. The 90% Robustness KPI floor was not set at 90% arbitrarily. It was set at 90% because a model operating at 34% robustness against a published attack class is not a model that belongs in a High-tier autonomous workflow.
Governance frameworks that cannot answer the question "is this model structurally vulnerable to CrossMPI-class attacks?" are not governing the risk. They are documenting the fact that they do not know.
References
- Yang, Z., et al. (2026). CrossMPI: Cross-Modal Prompt Injection via Image-Only Attacks on Large Vision-Language Models. arXiv:2605.16090 [cs.CR]. 15 May 2026.
- MITRE. ATLAS — Adversarial Threat Landscape for AI Systems. Technique AML.T0051 (LLM Prompt Injection), AML.T0043 (Craft Adversarial Data). atlas.mitre.org.
- OWASP. OWASP Top 10 for Large Language Model Applications. LLM01 (Prompt Injection), LLM02 (Insecure Output Handling). owasp.org.
- CIRCUIT Framework. Section 6.0: Worked Vulnerability Case Study — CrossMPI. whitepaper.html. v1.2.0, May 2026.