This work exposes critical security vulnerabilities in AI-based meteorological forecasting systems—such as Google’s GenCast—under adversarial observational attacks. We propose the first black-box adversarial attack targeting autoregressive diffusion weather models: by injecting imperceptible perturbations (amplitude < 0.1%) into a single satellite observation, the attack reliably induces high-confidence false predictions of extreme weather events—including hurricanes, heatwaves, and intense rainfall. Our method integrates gradient-free estimation, observational-space constraints, physics-informed regularization enforcing meteorological consistency, and multi-source data sensitivity analysis—ensuring both strong stealth and practical feasibility. Extensive experiments on GenCast and other state-of-the-art models confirm the attack’s effectiveness, revealing severe security risks in global multi-source fusion weather forecasting infrastructures. This study provides foundational theoretical insights and empirical evidence for robustness evaluation and defense design of AI-driven meteorological systems.

AI-based systems, such as Google's GenCast, have recently redefined the state of the art in weather forecasting, offering more accurate and timely predictions of both everyday weather and extreme events. While these systems are on the verge of replacing traditional meteorological methods, they also introduce new vulnerabilities into the forecasting process. In this paper, we investigate this threat and present a novel attack on autoregressive diffusion models, such as those used in GenCast, capable of manipulating weather forecasts and fabricating extreme events, including hurricanes, heat waves, and intense rainfall. The attack introduces subtle perturbations into weather observations that are statistically indistinguishable from natural noise and change less than 0.1% of the measurements - comparable to tampering with data from a single meteorological satellite. As modern forecasting integrates data from nearly a hundred satellites and many other sources operated by different countries, our findings highlight a critical security risk with the potential to cause large-scale disruptions and undermine public trust in weather prediction.