We built a vulnerability vending machine: AI tokens in, zero-days out
Summary
Intruder has developed an AI-powered system, dubbed a "vulnerability vending machine," that automates the discovery of complex software vulnerabilities by integrating code slicing with large language models. The system successfully identified and exploited a previously unknown zero-day vulnerability in a WordPress plugin, with further discoveries being disclosed responsibly.
IFF Assessment
This discovery represents a concerning advancement in automated vulnerability discovery, potentially empowering adversaries to find and exploit zero-days more efficiently.
Severity
The AI-discovered zero-day in a WordPress plugin likely has a significant attack vector (Network) and high impact (Confidentiality, Integrity, Availability), making it a critical vulnerability. An estimated CVSS score of 8.0 reflects this potential.
Defender Context
This development highlights the growing sophistication of AI-driven offensive capabilities, where attackers can potentially automate the hunt for zero-day exploits. Defenders should be vigilant about the security of widely used plugins and platforms, and prepare for a potential increase in sophisticated, rapidly discovered exploits.