Google's Threat Intelligence Group has identified what it believes to be the first zero-day exploit developed with the assistance of artificial intelligence, marking a significant escalation in the use of AI by cybercriminals. The exploit, implemented as a Python script, targeted a vulnerability in a popular open-source web-based system administration tool, allowing attackers to bypass two-factor authentication (2FA). Google detected the threat before it could be deployed at scale, collaborating with the affected vendor to patch the flaw and notifying law enforcement to disrupt the operation.
According to Google's report, released on Monday, a prominent cybercrime group had partnered to orchestrate a mass exploitation campaign. The script's structure provided key clues to its AI origins: it featured an abundance of educational docstrings, a hallucinated Common Vulnerability Scoring System (CVSS) score, detailed help menus, and a clean ANSI color class—elements characteristic of large language model (LLM) training data but unusual in human-crafted exploits. Researchers expressed high confidence that an AI model, though not Google's Gemini or Anthropic's Claude, aided in discovering the vulnerability—a faulty trust assumption—and weaponizing it into a functional tool.
The incident underscores a shift in cyber threats, where AI enables attackers to uncover high-level logic flaws beyond simple input errors. As reported by SecurityWeek and CSO Online, Google observed similar AI experimentation by state-linked groups, such as North Korea's APT45, which bombarded models with thousands of prompts to analyze vulnerabilities and validate proofs-of-concept. While this case involved cybercriminals rather than confirmed nation-state actors, experts like John Hultquist from Google's team noted it fulfills long-standing fears of AI supercharging hacking capabilities.
No widespread damage occurred, as Google intervened early, but the event affects the broader cybersecurity landscape. Open-source tools, widely used by organizations for system management, now face heightened risks from AI-assisted attacks that could proliferate rapidly. Vendors and defenders must prioritize proactive measures, such as AI-driven threat detection, as models grow more adept at reasoning through complex flaws.
Looking ahead, cybersecurity firms anticipate more such incidents as AI reasoning advances. Google's disclosure, echoed in coverage from UPI and WPXI, emphasizes the need for responsible vulnerability reporting and international cooperation. Affected parties, including businesses relying on 2FA-protected admin tools, should verify patches and monitor for related threats, while the industry races to adapt defenses against this new frontier of automated malice.