AI and Security: Zero-day exploits through AI are already a reality

Contents

According to a recent study, Artificial Intelligence can already perform complex tasks such as writing zero-day exploits, which were previously handled by human experts. The paper is causing a stir in the security community accordingly – and deservedly so: the study fundamentally differs from "Trust me, bro" reports about some Chinese attackers supposedly doing incredible things. The author, Sean Heelan, documents exactly what he did, how he did it, and why. He also makes the prompts and tools developed in the process available as open source. Finally, in his analysis, he discusses the conclusions he draws from the results, as well as their limitations.

Zero-day through AI is already a reality

The core message of Heelan's contribution „On the Coming Industrialisation of Exploit Generation with LLMs“ is: The discovery and concrete exploitation of security vulnerabilities with exploits is being completely industrialized with AI. The limiting factor for "a state or group's ability to develop exploits, penetrate networks, [...] and remain in those networks" will no longer be the number of hackers they employ. The relevant limit is "token throughput over time" – ultimately, how much money one invests in AI resources. And this is not a distant future, but apparently already a reality. The author of the study was able to observe this very concretely in his experiments: "As the challenges became more difficult, I could spend more and more tokens to continue finding solutions. Ultimately, my budget was the limiting factor, not the models."

Heelan found a zero-day bug in QuickJS (using an AI, by the way). QuickJS is a simple JavaScript interpreter with various limitations, but already a quite complex piece of software. He then built agents based on Anthropic's Opus 4.5 (Claude) and OpenAI's GPT-5.2 (ChatGPT), tasked with independently creating functional exploits for this bug. Because the vulnerability was not yet documented anywhere, the AI could not copy from anywhere, and Heelan rigorously verified the results (and actually caught one of the AIs trying to cheat).

Graduated Complexity

To make the results more meaningful, Heelan gradually added additional exploit mitigations such as a sandbox and control flow integrity, which progressively and sometimes drastically increased the difficulty of the task. The goal was always proven remote code execution – for example, a connection to an external network port with a shell with the rights of the executing JS interpreter. These were therefore real and quite demanding tasks, which would normally require at least one experienced security specialist – preferably a team. The AIs were given no instructions or even assistance, but merely an environment in which they could search for possible solutions, evaluate them, and then discard or further improve them.

And the result was impressive: ChatGPT actually solved all tasks; Claude managed all but two. In total, the AIs created 40 functional exploits. They did not discover groundbreaking things, but rather exploited known limitations and weaknesses of the respective mitigations to bypass them. They figured out how to exploit them in specific cases themselves. And they came up with tricks that were previously unknown to Sean and that he could not find on the internet.

Conclusion

Under documented, verifiable conditions, Heelan demonstrates that and how AIs have irreversibly changed IT security: one can buy attack tools for tokens – and this scales independently of human resources. In his words: "You can trade tokens for real results."

The fact that attack capability scales with the attacker's resources is already known. It's no coincidence that state-funded Advanced Persistent Threats play in the top league in this regard. But we are no longer talking about multi-million dollar investments: for solving the most demanding task, ChatGPT needed a little over three hours; the cost for this agent run was about 50 US dollars. This could therefore easily be multiplied by ten, a hundred, or even a thousand without exceeding the budget of a medium-sized cybercrime gang. This scales in a way that was previously thought impossible.

It would therefore be feasible for the first time to create an arsenal of functional zero-day exploits for almost all internet-connected devices with a manageable investment. A connection to the internet would then no longer be a theoretical risk that can be managed. It would rather mean the certainty that someone out there directly has the ability to exploit vulnerabilities – and, if in doubt, will do so.

For this scenario, we need to rethink security. Not necessarily new technology on how we make IT secure. We know that, and the known methods also work against AI-assisted attacks. The central challenge is how we get this security into the mainstream, so that the existence of security vulnerabilities becomes an exception, not the rule.

What we urgently need in any case are more studies of this kind and quality, which not only improve our understanding of the capabilities of AIs but also actively support further research. In particular, we need similarly constructive approaches to evaluate the other side of the coin – how to make life harder for attackers with AI and help defenders. And by that, I don't mean even more flashy advertising for supposed AI functions in security tools or more "trust us – we've got this"

(ju)