We built a vulnerability vending machine: AI tokens in, zero-days out

Summary

Intruder has developed an AI-powered system, dubbed a "vulnerability vending machine," that automates the discovery of complex software vulnerabilities by integrating code slicing with large language models. The system successfully identified and exploited a previously unknown zero-day vulnerability in a WordPress plugin, with further discoveries being disclosed responsibly.

IFF Assessment

FOE

This discovery represents a concerning advancement in automated vulnerability discovery, potentially empowering adversaries to find and exploit zero-days more efficiently.

Severity

8.0 High (AI Estimated)

The AI-discovered zero-day in a WordPress plugin likely has a significant attack vector (Network) and high impact (Confidentiality, Integrity, Availability), making it a critical vulnerability. An estimated CVSS score of 8.0 reflects this potential.

Defender Context

This development highlights the growing sophistication of AI-driven offensive capabilities, where attackers can potentially automate the hunt for zero-day exploits. Defenders should be vigilant about the security of widely used plugins and platforms, and prepare for a potential increase in sophisticated, rapidly discovered exploits.

Read Full Story →