This work exposes the high vulnerability of AI-based weather forecasting models to minute adversarial perturbations in initial conditions. To address the physical implausibility and detectability of existing adversarial attacks, we propose WAAPO—a novel framework that for the first time incorporates meteorologically grounded constraints—namely channel sparsity, spatial locality, and smoothness—into adversarial perturbation generation, enabling targeted, stealthy, and physically interpretable evasion attacks. Leveraging ERA5 reanalysis data and the FourCastNet model, WAAPO employs gradient-based optimization with multi-constraint joint regularization to achieve precise trajectory alignment under strict perturbation budgets. Experiments systematically reveal robustness risks in high-resolution numerical weather prediction models powered by AI, demonstrating that imperceptible initial perturbations can induce substantial forecast divergence. This study provides the first comprehensive empirical evidence of such fragility in operational AI meteorological systems, sounding a critical security alarm for real-world deployment.

With the increasing reliance on AI models for weather forecasting, it is imperative to evaluate their vulnerability to adversarial perturbations. This work introduces Weather Adaptive Adversarial Perturbation Optimization (WAAPO), a novel framework for generating targeted adversarial perturbations that are both effective in manipulating forecasts and stealthy to avoid detection. WAAPO achieves this by incorporating constraints for channel sparsity, spatial localization, and smoothness, ensuring that perturbations remain physically realistic and imperceptible. Using the ERA5 dataset and FourCastNet (Pathak et al. 2022), we demonstrate WAAPO's ability to generate adversarial trajectories that align closely with predefined targets, even under constrained conditions. Our experiments highlight critical vulnerabilities in AI-driven forecasting models, where small perturbations to initial conditions can result in significant deviations in predicted weather patterns. These findings underscore the need for robust safeguards to protect against adversarial exploitation in operational forecasting systems.