Google Threat Intelligence Reports First AI-Generated Zero-Day Exploit in the Wild
Google's Threat Intelligence Group has documented the first confirmed case of cybercriminals using an AI model to discover and weaponize a zero-day vulnerability, targeting a popular open-source system administration tool to bypass two-factor authentication.
Google Threat Intelligence Group (GTIG) has reported the first observed instance of cybercriminals using artificial intelligence to identify and weaponize a zero-day vulnerability. Published on May 11 in the GTIG AI Threat Tracker report, the finding marks a significant escalation in the AI threat landscape, moving from theoretical risk to confirmed operational use.
The AI-developed exploit targeted a popular open-source, web-based system administration tool, aiming to bypass two-factor authentication (2FA) protections. GTIG stated that "prominent" cybercrime threat actors partnered to plan a mass vulnerability exploitation operation, but the company worked with the vendor to close the vulnerability and disrupt the campaign before the new zero-day could be deployed in the wild.
Analysis of the exploit code, which was implemented in Python revealed hallmarks of AI generation, including highly structured educational docstrings and a Pythonic format characteristic of training data used by large language models (LLMs). The script also contained a hallucinated CVSS score, another indicator that it was developed by an AI rather than a human. Neither Google's Gemini model nor Anthropic's Mythos were used by the attacker, according to the report.
"There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun. For every zero-day we can trace back to AI, there are probably many more out there," said John Hultquist, chief analyst at GTIG. The report emphasizes that while this campaign was disrupted, the discovery signals how rapidly the AI threat landscape is evolving.
The GTIG report also detailed broader AI adoption by threat actors. Nation-state hacking groups from the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) have demonstrated "significant interest" in capitalizing on AI for vulnerability discovery. Cybercriminal groups are using AI models to help develop malware and create operational support tools that are more difficult to detect by antivirus software and cybersecurity protections.
While attackers are deploying AI for sophisticated activities including zero-day development and malware obfuscation, the most common use remains, much like regular users, employing LLMs for research and troubleshooting. By automating intelligence gathering and task support, cybercriminals are freeing up time and resources to manage complex, multi-stage operations and more effective campaigns.
"Threat actors are using AI to boost the speed, scale, and sophistication of their attacks. It enables them to test their operations, persist against targets, build better malware, and make many other improvements," said Hultquist. "State actors are taking advantage of this technology, but the criminal threat shouldn't be underestimated, especially given their history of broad, aggressive attacks."
This development underscores the urgent need for defenders to accelerate AI-driven security measures and for vendors to harden their products against AI-assisted vulnerability discovery. The report serves as a wake-up call that the era of AI-powered cyberattacks has arrived, and the security community must adapt accordingly.