Backdoor watermarking schemes in Embedding-as-a-Service (EaaS) suffer from semantic independence, rendering them vulnerable to adaptive attacks and compromising copyright protection. This paper identifies this fundamental vulnerability for the first time and proposes Semantic Perturbation Attack (SPA)—the first semantic-level adaptive attack paradigm targeting EaaS embedding watermarks. SPA employs gradient-guided semantic feature tuning to generate adversarial inputs under black-box API queries, successfully evading watermark detection while preserving downstream task performance (degradation <1%). Evaluated across multiple datasets and cross-model settings, SPA achieves >95% watermark evasion rates, exposing critical weaknesses in existing watermarking approaches. The implementation is publicly released.

Embedding-as-a-Service (EaaS) has emerged as a successful business pattern but faces significant challenges related to various forms of copyright infringement, particularly, the API misuse and model extraction attacks. Various studies have proposed backdoor-based watermarking schemes to protect the copyright of EaaS services. In this paper, we reveal that previous watermarking schemes possess semantic-independent characteristics and propose the Semantic Perturbation Attack (SPA). Our theoretical and experimental analysis demonstrate that this semantic-independent nature makes current watermarking schemes vulnerable to adaptive attacks that exploit semantic perturbations tests to bypass watermark verification. Extensive experimental results across multiple datasets demonstrate that the True Positive Rate (TPR) for identifying watermarked samples under SPA can reach up to more than 95%, rendering watermarks ineffective while maintaining the high utility of embeddings. Furthermore, we discuss potential defense strategies to mitigate SPA. Our code is available at https://github.com/Zk4-ps/EaaS-Embedding-Watermark.