Google's Threat Intelligence Group disclosed what it describes as the first known instance of threat actors using an AI language model to discover and weaponise a zero-day vulnerability in the wild. The exploit — a two-factor authentication bypass targeting an unnamed web-based system administration tool — was identified on 11 May and disrupted before the attackers could execute their planned mass exploitation campaign.
The technical details are revealing. GTIG assessed with high confidence that an unspecified AI language model was used to generate the exploit, which targeted a 'high-level semantic logic flaw arising as a result of a hard-coded trust assumption' in the administration tool. The vulnerability required valid user credentials for exploitation, suggesting the attackers had already compromised initial access and were using AI to escalate from authenticated access to full 2FA bypass.
The forensic evidence pointing to AI involvement is specific. The Python exploit script contained 'educational docstrings, including a hallucinated CVSS score' and used 'a structured, textbook Pythonic format highly characteristic of LLMs'. Hallucinated CVSS scores — where the AI assigns a plausible but fabricated severity rating to a vulnerability it discovered — are a distinctive fingerprint of AI-generated security code that human researchers would not produce.
Google stated there was no evidence that its own Gemini model was used in the attack. The identity of the AI system remains undisclosed. Multiple cybercrime threat actors 'appear to have collaborated together to plan' the mass exploitation campaign, indicating organised criminal coordination rather than a lone actor experiment.
Google worked with the affected vendor for responsible disclosure, and the flaw was patched before widespread exploitation could occur. The specific administration tool was not named publicly.
For context engineers, this crosses a threshold that security researchers have warned about for years. While AI-assisted vulnerability discovery has been demonstrated in controlled settings — most notably Anthropic's Claude Mythos finding 271 Firefox vulnerabilities — this is the first confirmed case of malicious actors using the same capability offensively. The asymmetry is stark: defenders like Mozilla use AI to find and fix bugs at scale, but attackers are now using AI to find and exploit them. The race between AI-powered offence and AI-powered defence is no longer theoretical.
