This work addresses a critical limitation in existing model poisoning attacks against federated learning, which typically rely on collusion among malicious clients and are thus easily detectable and impractical in real-world settings. The paper formally introduces, for the first time, a non-colluding model poisoning threat model and proposes XFED, an aggregation-agnostic attack method that enables malicious clients to independently generate effective poisoned updates without inter-client communication or knowledge of the server’s defense mechanisms. Built upon a local model perturbation strategy, XFED is compatible with diverse aggregation algorithms and successfully evades eight state-of-the-art defenses across six benchmark datasets. Experimental results demonstrate that XFED significantly outperforms six existing attacks, revealing that the security of current federated learning systems has been substantially overestimated.

Model poisoning attacks pose a significant security threat to Federated Learning (FL). Most existing model poisoning attacks rely on collusion, requiring adversarial clients to coordinate by exchanging local benign models and synchronizing the generation of their poisoned updates. However, sustaining such coordination is increasingly impractical in real-world FL deployments, as it effectively requires botnet-like control over many devices. This approach is costly to maintain and highly vulnerable to detection. This context raises a fundamental question: Can model poisoning attacks remain effective without any communication between attackers? To address this challenge, we introduce and formalize the \textbf{non-collusive attack model}, in which all compromised clients share a common adversarial objective but operate independently. Under this model, each attacker generates its malicious update without communicating with other adversaries, accessing other clients'updates, or relying on any knowledge of server-side defenses. To demonstrate the feasibility of this threat model, we propose \textbf{XFED}, the first aggregation-agnostic, non-collusive model poisoning attack. Our empirical evaluation across six benchmark datasets shows that XFED bypasses eight state-of-the-art defenses and outperforms six existing model poisoning attacks. These findings indicate that FL systems are substantially less secure than previously believed and underscore the urgent need for more robust and practical defense mechanisms.