Google Confirms First AI-Written Zero-Day Exploit

Google's Threat Intelligence Group confirmed the first AI-developed zero-day exploit. The criminal actor deployed it before GTIG's detection likely disrupted the campaign.

GTIG published its findings on May 11, 2026, drawing on Mandiant incident response, Gemini telemetry, and proactive research. A criminal actor used an AI model to discover and weaponize a two-factor authentication bypass in an open-source web administration tool. Google coordinated disclosure with the vendor, which has patched the flaw. GTIG declined to name the platform or attacker.

The exploit's AI origins were unmistakable. The Python script contained extensive docstrings, hallucinated CVSS scoring, detailed help menus, and formatting consistent with LLM training data. GTIG stated it has "high confidence" an AI model—not a human—wrote the code. Google clarified its Gemini models were not involved. Implementation errors likely limited the exploit's effectiveness. But GTIG chief analyst John Hultquist was direct: "There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun. For every zero-day we can trace back to AI, there are probably many more out there."

The pattern extends across state-linked and criminal actors. North Korean APT45 sent thousands of repetitive prompts to AI models to recursively analyze vulnerabilities and validate proofs-of-concept. China-linked UNC2814 used jailbreak prompts to push Gemini into researching pre-authentication remote code execution flaws in TP-Link router firmware. A separate China-nexus actor deployed Hexstrike and Strix agentic frameworks with the Graphiti memory system to autonomously probe a Japanese tech firm, pivoting between reconnaissance tools without human direction.

Russian groups adopted different tactics. Operation Overload used AI voice cloning to fabricate fake videos impersonating journalists for anti-Ukraine narratives. Other actors used AI-generated decoy code to obfuscate malware families including CANFAIL and LONGSTREAM. The PromptSpy Android backdoor integrates Gemini API calls to navigate infected devices autonomously. In March, criminal group TeamPCP compromised LiteLLM, a widely used AI gateway library, by embedding a credential stealer through poisoned PyPI packages and malicious pull requests, then monetized stolen AWS keys and GitHub tokens through ransomware partnerships.

Enterprise security teams face a structural gap. Traditional scanners detect crashes and memory corruption but not semantic logic flaws that appear functionally correct to every automated tool in production. AI-generated exploits exploit this gap. GTIG's guidance to defenders: monitor for spikes in automated exploit tooling, telemetry consistent with model-driven command generation in endpoint logs, model extraction attempts against proprietary systems, and expanded use of AI in social engineering.

Google's defensive measures include Big Sleep, a vulnerability-discovery agent that identified at least one real-world flaw imminently going weaponized, and CodeMender, an experimental agent using Gemini's reasoning to automatically patch critical code flaws. GTIG is disabling Gemini accounts identified as abusing the platform for adversarial research.

GTIG's February 2026 assessment found no evidence that APTs had achieved breakthrough capabilities. That threshold has now been crossed in exploit development. The race has begun.