preloader

· security ai vulnerability devops

Google Catches First AI-Built Zero-Day in the Wild: A 2FA Bypass Designed for Mass Exploitation

Source: The Hacker News

On May 11, 2026, Google’s Threat Intelligence Group (GTIG) published findings that confirm a threshold has been crossed in the evolution of cybercrime: a threat actor used an AI model to write a functional zero-day exploit and planned to deploy it in a mass exploitation campaign. The target was a logic flaw in a widely deployed open-source web administration tool. The exploit, a Python script, bypassed two-factor authentication by exploiting a hardcoded trust assumption in the application’s authentication flow, a semantic error subtle enough that it had gone undetected in the codebase for some time.

GTIG identified the script as AI-generated based on a distinctive set of characteristics: educational-style docstrings, a hallucinated CVSS score included as a comment, unusually clean and textbook-structured Python, a fabricated ANSI color helper class, and a level of code consistency that analysts describe as atypical for human-authored exploit code. These fingerprints are now part of GTIG’s threat detection methodology.

The exploit was caught before the planned mass exploitation event was carried out. Google says it has high confidence that the threat actor intended broad deployment rather than targeted use, which would have placed a large number of organisations relying on the affected tool at risk simultaneously.

The implications for security teams are significant. The traditional assumption that developing novel exploits requires specialised expertise, time, and deep knowledge of a target system is weakening. AI lowers the barrier to identifying and weaponising logic flaws, particularly in open-source software where code is publicly accessible and can be fed directly into a model for analysis. The volume and speed at which exploit code can now be generated are both increasing.

From a practical standpoint, this finding reinforces several priorities that often receive less attention than they deserve. Open-source dependencies need to be treated as part of your attack surface, not just as free infrastructure. Authentication logic in any tool that handles privileged access deserves adversarial review, not just functional testing. And threat intelligence feeds now need to account for AI-assisted attack patterns, which may look structurally different from what analysts have historically flagged.

If you want to assess the maturity of your organisation’s vulnerability detection and response capabilities in light of AI-accelerated threats, contact Excello Digital and we can help you build a programme that keeps pace with the changing threat landscape.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!