AI-authored zero-days: how GTIG fingerprinted the first AI-built exploit
On May 11, 2026, Google's GTIG disclosed the first zero-day it believes was AI-built — a 2FA-bypass script betrayed by a hallucinated CVSS score and textbook docstrings. Here's how to read the tells.
What is this?
On May 11, 2026, the Google Threat Intelligence Group (GTIG) published a report stating that, for the first time, it had identified a threat actor using a zero-day exploit it believes was developed with AI. A criminal group with — in GTIG’s words — “a strong record of high-profile incidents and mass exploitation” planned to deploy it in a mass exploitation event. GTIG says its “proactive counter discovery” likely prevented that, working with the affected vendor to disclose and patch the flaw before the campaign launched.
The exploit itself is unremarkable in scope: a Python script that bypasses two-factor authentication on a popular open-source, web-based system administration tool, and which still requires valid user credentials. What makes the disclosure worth reading is not the bug but the provenance — the script carries observable fingerprints of large-language-model authorship, and the underlying flaw is one that traditional scanners are structurally bad at finding.
How it works
Two things in GTIG’s account matter for defenders.
First, the class of flaw. This was not a memory-corruption bug or an input-sanitization error. It was a high-level semantic logic flaw: the developer hardcoded a trust assumption into the 2FA enforcement logic — an exception that contradicted the control it was supposed to enforce. Fuzzers and static analyzers are optimized to find crashes and data-flow sinks, and this kind of dormant logic error looks functionally correct to them. Per GTIG, frontier models “excel at identifying these types of high-level flaws and hardcoded static anomalies” because they can read the developer’s intent and correlate the 2FA logic with the exceptions that quietly break it.
Second, the tells of AI authorship. GTIG attributes the exploit to AI with high confidence based on the artifact’s structure, not a confession:
Fingerprint What it looks like
---------------------------------- -------------------------------------------
Hallucinated CVSS score A severity rating embedded in the code that
does not correspond to any real CVE entry
Over-documented docstrings "Educational" explanatory comments far
beyond what an operator would write for
a private offensive tool
Textbook Pythonic structure Detailed help menus, a clean ANSI color
class, idiomatic scaffolding characteristic
of LLM training dataNone of these is proof on its own — a human can write tidy code, and an operator can strip comments. But in combination, on a private attack tool where verbosity has no operational benefit, they form a recognizable signature. GTIG notes it does not believe its own Gemini model was used.
The report situates this inside a broader shift GTIG calls the “industrial-scale application of generative models within adversarial workflows”: China-linked UNC2814 directing a model to act as a “senior security auditor” for firmware research, North Korea’s APT45 sending thousands of recursive prompts to validate proof-of-concept exploits, and Russia-nexus malware families using AI-generated decoy code to camouflage their real function.
Why it matters
The capability that found this bug — reading developer intent to surface logic flaws — generalizes. Semantic logic flaws are exactly the long tail that has historically survived automated review because they require understanding what the code was meant to do, not just what it does. If frontier models close that gap at scale, the asymmetry shifts toward whoever runs the most analysis fastest. GTIG’s own chief analyst, John Hultquist, framed it bluntly: “There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun.”
The flip side is equally on display. The flaw was caught first by Big Sleep, the vulnerability-discovery agent from Google DeepMind and Project Zero — defensive AI reaching the bug ahead of the attacker. The race is symmetric; the question is who iterates faster.
Defenses
For defenders and incident responders, the practical takeaways are concrete.
Treat AI-authorship fingerprints as triage signals, not verdicts. Hallucinated CVSS scores in source, over-explanatory docstrings on offensive tooling, and suspiciously textbook structure are weak individual indicators that become meaningful in combination. Use them to prioritize review, never to attribute on their own.
Close the semantic-flaw gap in your own review. Fuzzers and SAST will keep missing hardcoded trust assumptions and contradictory authorization exceptions. Pair them with LLM-assisted review that is prompted to look specifically for logic that contradicts stated security intent — the same capability attackers are using, turned inward — and keep human authorization-logic review in the loop for auth and 2FA paths.
Assume 2FA-bypass logic flaws exist in your stack and reduce blast radius: enforce defense-in-depth so a single bypass plus valid credentials does not equal full access, and monitor for authentication anomalies rather than trusting the gate.
Finally, adopt defensive AI on the discovery side. The lesson of this incident is not that AI gave attackers a new superpower; it is that the same agents find the same bugs, and the side that scans proactively wins the timing. Programs like Big Sleep and automated-remediation agents like CodeMender exist precisely to get there first.
Status
| Item | Detail |
|---|---|
| Disclosed | GTIG report, May 11, 2026 (33 pages) |
| Vulnerability | 2FA-bypass logic flaw in an open-source web admin tool (vendor unnamed); requires valid credentials |
| Status | Responsibly disclosed; vendor patched; planned mass-exploitation event disrupted |
| AI involvement | High confidence the exploit was AI-developed; GTIG states Gemini was not used |
| Found by defense | Google DeepMind / Project Zero “Big Sleep” agent |