The Google Threat Intelligence Group (GTIG) today released evidence of a zero-day exploit developed by a cybercriminal group with the help of AI. It marks the first time the security research group has identified what it believes to be an AI-crafted zero-day exploit in the wild.
While evidence of threat actors using AI models for vulnerability research and discovery has existed for some time, instances of AI-generated zero-day exploits have proved rare or difficult to confirm.
“We observed prominent cyber crime threat actors partnering to plan a mass vulnerability exploitation operation,” GTIG researchers wrote in a new report about AI abuse by malicious attackers. “Our analysis of exploits associated with this campaign identified a zero-day vulnerability implemented in a Python script that enables the user to bypass two-factor authentication (2FA) on a popular open-source, web-based system administration tool.”
While GTIG hasn’t named the impacted tool, the team disclosed the vulnerability to the vendor and possibly hindered mass exploitation. Such incidents may become more common, however, as AI models’ reasoning capabilities are advancing to the point where they can discover high-level logic flaws rather than just basic memory corruption and improper input sanitization bugs.
This was the case with the discovered Python 2FA bypass exploit, which required credentials to exploit but stemmed from the tool’s developers hardcoding an ineffective trust assumption.
“Though frontier LLMs struggle to navigate complex enterprise authorization logic, they have an increasing ability to perform contextual reasoning, effectively reading the developer’s intent to correlate the 2FA enforcement logic with the contradictions of its hardcoded exceptions,” the GTIG researchers concluded. “This capability can allow models to surface dormant logic errors that appear functionally correct to traditional scanners but are strategically broken from a security perspective.”
GTIG has offered sufficient evidence to suggest that an AI model was used to both discover the vulnerability and write the exploit. For example, the Python script contains educational strings and a hallucinated CVSS score. The code also follows textbook Python programming elements that are consistent with LLM training data, but a human would not include in an exploit, such as detailed help menus and the clean _C ANSI color class.
Other evidence of AI-assisted vulnerability discovery
While the 2FA exploit was not developed using Google’s Gemini family of models, GTIG has discovered other instances where known threat actors have tried to abuse Gemini for exploit discovery. This is consistent with observations of other frontier AI labs like Anthropic and Open AI.
Google researchers recently observed a Chinese cyberespionage group it tracks as UNC2814 trying to bypass Gemini guardrails with prompts to direct the model to act as a security expert specialized in embedded devices.
The attackers tried to use such persona-driven jailbreak prompting to analyze the firmware of TP-Link and other embedded devices for vulnerabilities. Implementations of the Odette File Transfer Protocol (OFTP) were also targeted.
UNC2814 has targeted telecommunications and government entities from more than 42 countries since 2017. The group has a history of gaining initial access into networks by exploiting vulnerabilities in edge systems and web applications.
In a different AI abuse case, a North Korean state-linked threat group tracked as APT45 was observed sending thousands of prompts to Gemini with the goal of analyzing various known flaws or validating proof-of-concept exploits. The goal was likely to build a more robust arsenal of exploits for n-day vulnerabilities.
Attackers were also observed priming AI models with known vulnerability data to improve their accuracy in code analysis and to discover flaws that would otherwise be harder to detect. One example is a skill plug-in for Claude Code, Anthropic’s terminal-based agentic coding agent, that contains information distilled from 85,000 real-world vulnerability cases collected by Chinese bug bounty platform WooYun between 2010 and 2016.
“To facilitate these activities, actors are also experimenting with agentic tools such as OpenClaw and OneClaw alongside intentionally vulnerable testing environments,” the GTIG researchers wrote. “The use of these tools alongside vulnerability research suggests an interest in refining AI-generated payloads within controlled settings to increase exploit reliability prior to deployment.”
The GTIG report contains other examples of AI usage in the cyberattack lifecycle, including malware development and obfuscation, autonomous attack orchestration, infrastructure deployment, agentic workflows for generating deepfake content used in information campaigns, and more.