Skip to main content
CybersecurityAI & Machine Learning

Multi-Turn Attacks Reveal Stunning Open-Weight LLM Flaws

Multi-Turn Attacks Reveal Stunning Open-Weight LLM Flaws

What happens when the tools built to help us think start being taught how to be tricked? That is the urgent question experts are asking after a new Cisco analysis showed that multi-turn adversarial strategies can defeat some open-weight large language models (LLMs) with astonishing frequency — the company reports success rates approaching 90% in certain scenarios.

At stake is more than a technical curiosity. LLMs are woven into search aids, customer service, code generation, classroom tools and critical automation. If sustained, conversationally guided attacks can reliably coax models into revealing restricted content, performing unsafe operations, or propagating falsehoods, the consequences ripple across security, commerce and public trust.

Background: an adversary’s conversation, not a single prompt

Early jailbreaks worked as one-off tricks: craft a prompt that slips past a model’s safety checks and get it to respond. Multi-turn attacks change the game. Instead of a single injection, attackers orchestrate a dialogue — a series of prompts and clarifying exchanges — that gradually reshapes the model’s context and incentives. In this incremental approach, the model’s own attempts to be helpful and context-aware become vectors for manipulation. Cisco’s report, summarized by multiple trade outlets, shows that when adversaries chain queries across turns they can dramatically increase the chance of eliciting disallowed or dangerous outputs from open-weight models.

How the technique exploits model design and deployment

  • Context accumulation: LLMs retain conversational context across exchanges to be coherent. Adversaries use that persistence to introduce benign‑looking material, then layer covert instructions into subsequent turns so the model treats them as part of the same, legitimate request.
  • Instruction-following bias: Many models are explicitly tuned to follow user instructions. That helpfulness bias can be weaponized; when an attacker frames malicious content as a requested task or a role-play, the model is likelier to comply.
  • Weaknesses in heuristic moderation: Simple keyword or pattern filters can be bypassed by rephrasing or by embedding instructions in structurally authoritative formats — for example, legal-looking clauses — a technique security researchers have demonstrated in other contexts. Pangea’s “LegalPwn” research showed that hiding adversarial instructions inside formal legal prose can trick models into ignoring safety rules, highlighting that format and tone can act as camouflage for malicious intent .

Why Cisco’s findings matter

First, they underscore that model safety cannot be validated by single-shot checks alone. A system that resists isolated prompts may still be vulnerable once an attacker exploits conversational dynamics. Second, the high success rates reported in controlled tests suggest attackers need not be highly skilled: with systematic probing and modest automation, an adversary can iterate until the model yields.

Perspectives from the field

Technologists: For model builders and platform operators, the implications are operational and architectural. Defenses that rely on stateless moderation or simple input classification must be rethought. Engineers will need to harden models against contextual manipulation, for example by:

  • designing conversation-aware moderation that reasons over the full dialogue, not just the last user message;
  • adding adversarial testing suites that simulate multi-turn jailbreaks during development;
  • deploying real-time anomaly detection and rate-limiting on conversational sessions to frustrate iterative probing.

Policymakers: Regulators and lawmakers face the classic trade-off between innovation and public safety. Some will push for transparency requirements — disclosure of known failure modes and robust incident reporting — while others may seek minimum safety standards for models used in sensitive sectors. Those conversations will need input from technologists, civil-society groups and industry to avoid onerous rules that stifle beneficial uses while still addressing real harms.

Users: Everyday users and enterprises must adjust expectations. No model is perfectly safe; prudent operators should treat LLM outputs as assistance, not authoritative decisions. Critical workflows — medical, legal, safety‑critical code — need human‑in‑the‑loop validation and stronger guardrails.

Adversaries: From a threat‑actor perspective, multi‑turn techniques are attractive because they scale. Automated scripts can probe at volume, and open-weight models (whose weights are publicly available) reduce the technical barriers to large-scale testing and exploitation. The availability of model weights, combined with the conversational approach, creates a low-cost pathway to effective jailbreaks.

Counterarguments and limits

Not everyone agrees that the sky is falling. Some researchers argue that defensive improvements can substantially reduce practical risk: better context modeling for moderation, dynamic policy enforcement that flags intent shifts, and ensemble approaches combining multiple safety checks. Others point out that controlled lab success rates do not always translate to real-world operational success: attacks that require many turns, precise phrasing, or unstable conditions may be harder to scale against vigilant platforms.

Operational recommendations

  • Adopt conversation‑aware moderation that evaluates intent and drift across turns, not only single prompts.
  • Include multi-turn adversarial examples in safety testing and red-teaming exercises.
  • Limit persistent conversational state for high‑risk workflows and require periodic re-authentication or confirmation for sensitive actions.
  • Increase transparency: operators should document safety limitations and publish incident summaries to inform users and regulators.

Ethical and societal dimensions

There is a deeper question about trust. As these models assume roles traditionally held by experts, the public must know when a system is fallible and why. If conversational manipulation becomes a routine route to harmful outputs, confidence in AI assistance could erode — not because the technology is inherently malicious but because systems were not designed for the adversarial environments in which they now operate.

Conclusion

Multi-turn attacks reveal that model safety is not a binary property but an ongoing contest between builders and those who would exploit them. Cisco’s analysis — and the broader body of research showing how context, tone and formatting can be weaponized — should prompt a sober reassessment of how we build, test and govern conversational AI. The question is no longer whether LLMs can be tricked; it is how resilient we can make them before trust, safety and critical workflows pay the price.

Source: https://www.infosecurity-magazine.com/news/multi-turn-attacks-llm-models/