Mountain ViewCriminals deployed an AI-built zero-day exploit.
Google’s Threat Intelligence Group said AI identified an authentication logic flaw and built the exploit before Google patched the unnamed platform.
Google warns that for every AI-traced zero-day, many more go unattributed and implementation errors won’t persist.
Sources: TheRegister.com
WHAT A ZERO-DAY IS
A zero-day is a vulnerability the vendor does not yet know about — meaning defenders have had zero days to patch it. The value is asymmetric: the attacker holds working code against every unpatched system on Earth until disclosure.
THE EXPLOIT PIPELINE
Turning a bug into a working exploit traditionally requires four stages: vulnerability discovery, primitive construction, exploitation chaining, and weaponization. Each stage historically demanded a specialist; the bottleneck was human reverse-engineering time, not raw compute.
WHY AUTH LOGIC FLAWS ARE DIFFERENT
Memory-corruption bugs (buffer overflows, use-after-free) require deep low-level skill. Authentication logic flaws — a forgotten check, a misordered state transition — are reasoning bugs. They look like a code review puzzle, which is exactly the shape LLMs handle well.
THE OFFENSE-DEFENSE ASYMMETRY
Defenders must close every door; attackers need one. AI lowers the cost of finding the one door faster than it lowers the cost of auditing every door, because audit requires guaranteeing absence of bugs while attack only requires producing one. The asymmetry compounds.
THE MARKET
Zero-days have a price list. Zerodium has publicly offered up to $2.5M for an Android remote chain and $2M for iOS. Commercial brokers like NSO Group resell to governments; the gap between bug-bounty payouts and grey-market prices is the structural incentive for the trade.
THE PROJECT ZERO PRECEDENT
Google's Project Zero, founded in 2014, established the 90-day disclosure norm: report a bug, give the vendor 90 days, then publish regardless. The norm exists because vendors historically sat on reports for years. AI-built exploits compress the entire timeline — discovery to weaponization may now run in days, not the months disclosure rules were designed around.
HARVEST NOW, EXPLOIT LATER
The deeper worry is not this one bug. It is that an LLM trained on every disclosed CVE, exploit writeup, and patch diff in history can interpolate to bugs that were never disclosed — finding patterns in patches that reveal vulnerabilities the vendor never publicly acknowledged.