Open-Source AI Models Power Self-Spreading Worm in Enterprise Test Network
Researchers demonstrate a computer worm built using a publicly available, open-weight AI model that adapts to exploit known vulnerabilities and spread laterally.
The growing concern over advanced AI models like Mythos and GPT 5.5-Cyber being used for malicious purposes is overshadowing a more immediate threat: attackers are already leveraging free, publicly available open-weight AI models to compromise networks and software supply chains at a significantly lower cost. A recent demonstration by University of Toronto researchers highlights this emerging danger, showcasing a computer worm developed using an unnamed, readily accessible open-weight model released in 2025. This self-propagating malware dynamically adapts to identify known vulnerabilities and misconfigurations within target systems, subsequently generating and executing attacks to move laterally across an enterprise test network.
Professor Nicolas Papernot of the University of Toronto emphasized that the security implications extend beyond the most powerful AI systems. "People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated," Papernot stated. He and his co-authors, Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang, detailed their findings, noting that while safety features in commercial AI are crucial, they will not fully prevent the threat posed by AI-driven worms with similar architectures. The research underscores that most real-world cyberattacks do not rely on zero-day vulnerabilities; instead, attackers can now efficiently operationalize known flaws at scale, drastically reducing the time defenders have to patch systems and address human errors like weak passwords or misconfigured backups.
The researchers deliberately omitted specific details about the AI model used and certain methodological aspects to prevent misuse, though they shared enough information for scientific scrutiny. The code itself will not be publicly released, but a vetting process is being established for qualified researchers to access it for defensive research. This approach aims to balance transparency with security, ensuring the threat is credible without providing a direct blueprint for malicious actors.
Contrary to the fear surrounding zero-day exploits, this prototype worm targets only publicly disclosed but unpatched vulnerabilities, misconfigurations, and common weakness classes. This focus aligns with the reality of most cyberattacks, which often exploit flaws for which patches are already available, citing WannaCry and NotPetya as historical examples of rapid, widespread disruption caused by such vulnerabilities. The worm demonstrated an ability to ingest publicly available security advisory information at runtime, enabling it to develop exploits for vulnerabilities disclosed after the AI model's training cutoff.
While the research draws parallels to the destructive potential of WannaCry and NotPetya, the current prototype is not expected to cause similar levels of global disruption. Those earlier worms infected hundreds of thousands of computers within days and employed sophisticated evasion techniques. This new worm, in contrast, operates at a much slower pace. In the "FakeCorp" test network, it took approximately five days to spread across half the network, requiring numerous AI inference calls per target for reconnaissance and attack generation. This slower propagation offers defenders a more extended window for detection and response, though this timeline is expected to shorten with advancements in AI hardware and model efficiency.
Furthermore, the researchers intentionally omitted concealment capabilities from the worm, meaning it does not attempt to hide its tracks or minimize its network footprint. This deliberate choice was made to further mitigate the risk of misuse. It is also important to note that the test network lacked typical security defenses such as endpoint detection, antivirus, or firewall software, making the experimental setup less realistic than a production environment.
The experiments involved deploying the worm prototype autonomously in an isolated 33-host network across Linux servers, Windows environments, and IoT devices, each seeded with known vulnerabilities. Over seven days, the worm successfully identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to gain elevated access, and propagated to 20.4 hosts, reaching up to seven generations of self-replication. On average, the proof-of-concept worm compromised 73.8 percent of the network and replicated to 61.8 percent, demonstrating its efficacy in exploiting known weaknesses and expanding its reach within the test environment.
This research serves as a critical wake-up call, demonstrating that even readily available, less sophisticated AI models can be weaponized to automate and scale attacks using existing vulnerabilities. It highlights the urgent need for organizations to bolster their defenses against AI-assisted threats, focusing on rapid patching, robust configuration management, and enhanced threat detection capabilities, rather than solely preparing for hypothetical zero-day attacks.