Skip to content
AI SecurityLLMVulnerability ResearchCVE

First AI-Generated Zero-Day Exploit Caught in the Wild | LLM-Assisted 2FA Bypass

4 min read
Share

First AI-Generated Zero-Day Exploit Caught in the Wild

On May 11, 2026, Google's Threat Intelligence Group published a report with a sentence that changes the threat landscape: "For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI."

That is not a theoretical warning. It is a confirmed incident.

What happened

A criminal threat actor used an LLM to discover a previously unknown vulnerability in a popular open-source, web-based system administration tool. The vulnerability is a 2FA bypass rooted in a hardcoded trust assumption, a semantic logic flaw that the application's original developers built in without recognizing the security implication.

The attacker wrote a Python exploit using the LLM, then planned to use it in what Google describes as "a mass exploitation event." Google intercepted the attack before it could be executed and worked with the affected vendor on responsible disclosure. The vendor's name and the tool were not disclosed.

How Google attributed AI involvement

Google did not find a receipt. There is no log showing which model was used or when. What they found was the code itself.

The Python exploit script carries characteristics strongly associated with LLM-generated output: an abundance of educational docstrings explaining each step in plain language, a hallucinated CVSS score that does not match any official entry, and a structured textbook Pythonic format with clean ANSI color classes and detailed help menus. This is not how humans write exploitation code. Humans write for function. LLMs write for readability and comprehensiveness.

GTIG assessed with high confidence that an AI model was used. They were careful not to claim certainty on which model.

Why a semantic logic flaw matters here

Most vulnerability discovery automation finds memory corruption, injection primitives, or protocol violations. These are structural flaws that tools like fuzzers and static analyzers can detect by pattern.

A hardcoded trust assumption is different. It is a design-level decision that the developer made deliberately, without realizing it had security consequences. The code is syntactically correct. The logic is internally consistent. Static analysis does not flag it because there is nothing technically wrong with the code on its own terms.

LLMs, trained on enormous volumes of code and documentation, can reason about intent. They can read a function, understand what it is supposed to do, and identify the cases where the assumption fails. That is a qualitatively different capability from what automated scanners do.

What this means for defenders

First, the detection heuristic. If you are reviewing suspicious proof-of-concept code and it has detailed docstrings explaining each step, a CVSS score that you cannot find in NVD or MSRC, and a clean structured format that looks more like a tutorial than an exploit, treat that as a signal. LLM-written exploit code has a fingerprint.

Second, the threat model update. The barrier to vulnerability discovery just got lower. An attacker no longer needs a decade of binary analysis experience to find a semantic flaw. They need access to an LLM and enough understanding of the target application to ask the right questions. For defenders, this means the assumption that "our attack surface is too complex for low-skill actors to exploit" is weaker than it was yesterday.

Third, the timeline compression. The CrowdStrike 2026 Global Threat Report documented that average adversary breakout time is now 29 minutes. The Google GTIG report documents that the discovery timeline from "concept" to "working exploit" is now potentially hours, not months, for a well-prompted LLM. These two data points together describe a threat environment where defenders have less time at every stage of the kill chain.

What you should do now

Review your web-facing admin tools. Any tool running on an internet-accessible host with SMS-based 2FA is now higher risk than it was before this disclosure. Prioritize patching and authentication hardening on those systems.

Add LLM-generated code characteristics to your threat hunting heuristics. Docstring density, hallucinated metadata, and textbook formatting in exploit code are now signals worth flagging.

Revisit your authentication architecture. The specific vulnerability Google documented is a 2FA bypass via a hardcoded trust assumption. The pattern, trusting a condition that an attacker can satisfy without the expected credential proof, is worth auditing across your own internal tools and APIs.

The Google GTIG team intercepted this one. The next one may not be intercepted first.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss AI security threat modeling for your organization.

Related articles

AI SecurityLLMVulnerability Research

Frontier AI Just Found 7x More Bugs: What That Means for Your Patch Window

Unit42 used frontier AI to scan 130 products in a month and found 75 real vulnerabilities—7x their usual rate. Here’s what that means for your attacker window and how to compress mean-time-to-patch, cut exposure, and integrate AI into your SOC.

CVEVulnerability Research

Windows DNS is the New Perimeter: What CVE-2026-41096 Means for Your Network

Microsoft’s May 2026 Patch Tuesday shipped with no zero-days, but two unauthenticated 9.8 CVSS vulnerabilities in Windows DNS Client and Netlogon make immediate patching critical for every Windows environment.

AI SecurityAgentic AIcredential-theft

71% of Organizations Breached Through Identity Gaps — And AI Agents Are Making It Worse

Sophos’ State of Identity Security 2026 report shows 71% of organizations suffered an identity-related breach in the past year, with non-human identities and AI agents rapidly expanding the attack surface.