Google has disclosed that criminal hackers used an artificial intelligence model to discover and weaponise a previously unknown software vulnerability, marking the first confirmed case of a zero-day exploit developed with AI assistance.
The Google Threat Intelligence Group (GTIG) published the finding on Monday in its AI Threat Tracker report, describing how a group of "prominent" cybercrime actors partnered to plan a mass exploitation operation using a flaw that no human security researcher had previously identified.
A zero-day vulnerability is the most dangerous class of software flaw because it exploits a weakness that the software maker does not know exists, meaning there is no patch and no defence at the time of the attack. The term "zero-day" refers to the fact that developers have had zero days to fix the problem before it is exploited.
In this case, the attackers used an AI large language model to find a vulnerability in a popular open-source, web-based system administration tool that allowed them to bypass two-factor authentication (2FA), the security mechanism that requires users to verify their identity through a second device or code in addition to a password.
The exploit was written in Python and contained telltale signatures of AI generation: educational strings, a hallucinated severity score, detailed help menus and a coding style consistent with the textbook patterns found in large language model training data rather than the shorthand a human exploit writer would use.
Google did not name the affected tool but said it disclosed the vulnerability to the vendor, which subsequently issued a patch. The operation was disrupted before it caused damage.
John Hultquist, GTIG's chief analyst, said the discovery confirms what cybersecurity professionals have feared since AI models began demonstrating coding and reasoning capabilities. "The era of AI-driven vulnerability and exploitation is already here," he said. "For every zero-day we can trace back to AI, there are probably many more out there."
Google said the exploit was not developed using its own Gemini models or Anthropic's Claude Mythos, the cybersecurity-focused model released last month that has found thousands of previously unknown vulnerabilities across major operating systems and browsers. The company did not identify which AI model was used.
The report paints a broader picture of how state-sponsored and criminal groups are integrating AI into their operations. A Chinese cyberespionage group tracked as UNC2814 was observed attempting to jailbreak Google's Gemini by prompting it to act as a security expert specialising in embedded devices, with the aim of analysing TP-Link router firmware for exploitable flaws. North Korean state-linked group APT45 sent thousands of prompts to Gemini to analyse known vulnerabilities and validate proof-of-concept exploits, apparently building a more robust arsenal for attacks on previously disclosed but unpatched flaws. Russian-linked groups are using AI to target Ukrainian networks.
The report also noted that attackers are experimenting with agentic tools, AI systems that can autonomously execute multi-step tasks, alongside intentionally vulnerable testing environments to refine AI-generated exploits before deploying them in real attacks. One example cited a skill plugin for Anthropic's Claude Code containing vulnerability data distilled from 85,000 real-world cases collected by Chinese bug bounty platform WooYun.
The timing amplifies an already urgent debate about the balance between offensive and defensive AI capabilities. Anthropic released Mythos under tight access controls through its Project Glasswing programme, limiting distribution to roughly 40 vetted organisations. OpenAI responded last week with GPT-5.5-Cyber, a more permissive model available to a broader community of verified defenders. On Monday, OpenAI announced it would extend access to the European Union through a new EU Cyber Action Plan.
Related reading
- Microsoft warns AI agents risk becoming "double agents" as it unveils security controls at RSAC
- OpenAI is outmanoeuvring Anthropic on cyber diplomacy, and Europe is the prize
- Anthropic's Claude Mythos faces questions over value despite strong cybersecurity scores
Rob Bair, Anthropic's head of cyber policy, said last week that the staged release of Mythos was designed to give defenders a head start. "We believe that window is somewhere in the months timeframe, not years," he said, a warning that the advantage defenders currently hold over attackers using AI is narrow and closing.
Google's discovery suggests it may already be closing faster than anyone expected. The question is no longer whether AI will be used to find and exploit zero-day vulnerabilities. It is how many have already been found that nobody has yet detected.
The recap
- Google found an AI-created zero-day vulnerability, according to its report.
- Anthropic’s Claude Mythos has found thousands of vulnerabilities across platforms.
- Anthropic says defenders' advantage window is months, not years.
