Google Confirms First AI-Generated Zero-Day Exploit in the Wild
A Python script bypassing 2FA on system administration software marks the moment AI moved from reconnaissance tool to autonomous exploit generator, collapsing discovery timelines and breaking traditional patching cycles.
Google’s Threat Intelligence Group disclosed on 11 May that cybercriminals used a large language model to discover and weaponize a previously unknown zero-day vulnerability—the first documented case of AI-generated exploit code deployed in active threat operations.
The vulnerability, a Python script enabling two-factor authentication bypass on a popular open-source web administration tool, was discovered before mass deployment. The exploit contained telltale markers of LLM authorship: educational docstrings, a hallucinated CVSS severity score, and textbook-clean formatting characteristic of model-generated code, according to Help Net Security.
Google declined to name the affected software vendor or assign a CVE identifier, citing coordinated disclosure protocols. The company’s preemptive intervention likely prevented a mass exploitation campaign targeting enterprise environments.
“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun.”
— John Hultquist, Chief Analyst at Google Threat Intelligence Group
Semantic Logic Flaws at Machine Scale
The vulnerability exploited a high-level semantic logic flaw—a hard-coded trust assumption embedded in the application’s authentication flow. Traditional fuzzing and static analysis tools struggle with this class of bug. LLMs excel precisely because they parse code as natural language, identifying design-level contradictions invisible to signature-based scanners, per The Hacker News.
This represents a qualitative shift. Where human researchers might spend weeks tracing control flows across thousands of lines of code, an LLM can propose exploit chains in hours—synthesizing disparate logic paths into working proof-of-concept scripts.
The vulnerability stems from a class of bugs that arise when developers make implicit assumptions about trust boundaries between components. These flaws are invisible to automated scanners but readable to systems trained on millions of code examples. LLMs recognize patterns across programming paradigms that static analysis tools, built for syntactic correctness, cannot.
State Actors Deploy AI at Industrial Scale
APT45, a North Korean military intelligence unit, used AI to validate thousands of exploits targeting known software flaws, according to Axios. The group automated exploit testing workflows, enabling disproportionate operational tempo without corresponding headcount expansion.
Chinese state-linked group UNC2814 deployed persona-driven jailbreaks to bypass model safety guardrails, focusing on embedded device firmware including TP-Link OFTP implementations, SecurityWeek reported. The technique uses carefully crafted prompts to reframe offensive security research as legitimate academic inquiry, circumventing content filters.
In March, cybercrime group TeamPCP compromised multiple GitHub repositories including the LiteLLM AI gateway, embedding the SANDCLOCK credential stealer to extract AWS keys and GitHub tokens from build environments. The operation demonstrated how AI infrastructure itself has become high-value attack surface.
Thousands tested
Hours (vs. weeks)
90 days
The Patching Problem
Enterprise security assumes a multi-week buffer between vulnerability disclosure and active exploitation. That assumption is now obsolete. The window between discovery and weaponization has collapsed to hours, according to analysis from DataOps Labs citing CSA, SANS, and OWASP frameworks.
Current patch deployment cycles were built for human-speed reconnaissance. In environments where testing, approval, and rollout require 30-90 days, organisations now face a structural disadvantage against adversaries operating at machine velocity.
The industry’s 90-day responsible disclosure standard, designed to balance researcher incentives with vendor remediation timelines, breaks when attackers can independently rediscover and weaponize the same flaw before patches deploy. Hultquist told Axios: “For every zero-day we can trace back to AI, there are probably many more out there.”
- Traditional 90-day disclosure windows assume human-speed exploitation—AI compresses this to hours
- LLMs excel at semantic logic flaws invisible to fuzzing and static analysis tools
- State actors achieve APT-level operational tempo without proportional workforce scaling
- Enterprise patch cycles designed for monthly deployment are structurally mismatched to real-time threat generation
Attribution Challenges
Identifying AI-generated exploits requires forensic analysis of code style, documentation patterns, and logical structure. The disclosed Python script’s clean formatting, educational comments, and fabricated CVSS score provided clear attribution markers. But sophisticated actors will rapidly adapt, stripping telltale signatures or mixing AI-generated code with human modifications.
Google’s Threat Intelligence Group noted in its disclosure: “As the coding capabilities of AI models advance, we continue to observe adversaries increasingly leverage these tools as expert-level force multipliers for vulnerability research and exploit development, including for zero-day vulnerabilities.”
The disclosure comes 18 months after Google’s Project Zero and DeepMind teams demonstrated Big Sleep, an AI system that discovered a buffer overflow in SQLite before human researchers. That proof-of-concept, conducted in controlled research environments, has now transitioned to adversarial deployment in live operations.
What to Watch
Anthropic’s April announcement of Claude Mythos alongside Project Glasswing—a coordinated vulnerability disclosure framework involving multiple frontier labs—signals industry awareness that model capabilities now outpace defensive infrastructure. Whether labs maintain release controls as open-weight alternatives proliferate remains the central governance question.
Enterprises face an immediate operational decision: accelerate patch deployment cycles to match AI-driven discovery speeds, or accept that production systems will operate with known exploitable flaws for weeks between disclosure and remediation. The middle ground—the traditional 90-day buffer—no longer exists.
Monitor vendor patch release cadence for significant acceleration, particularly for web-facing administration tools and authentication systems. Any vendor maintaining monthly patch cycles in this environment is structurally vulnerable. The exploit Google intercepted targeted precisely this category of software—high-value, widely deployed, and assumed secure behind 2FA.