AI capable of rapidly producing novel Vulnerabilities (CVEs) in a short timeframe?

In a groundbreaking development, researchers Efi Weiss and Nahman Khayet have created an AI system that can generate working exploits for known security vulnerabilities (CVEs) in just 10 to 15 minutes.

The system, which has been tested notably in OpenAI's GPT-5 model, has been found to be notably efficient. Security companies such as Neuraltrust and SPLX identified severe vulnerabilities allowing such exploits to be designed within about 24 hours of testing. These findings suggest that such AI-enabled attack-capable systems become available very rapidly, potentially within a day of deployment or exposure.

The AI system is based on a multi-stage pipeline that analyses CVE descriptions and code patches, creates vulnerable test applications and exploit code, and tests their effectiveness. To ensure type safety and speed up tests, the system was later switched to pydantic-ai, and a caching layer was introduced.

The work was divided among multiple specialized agents, each receiving detailed system prompts. These agents used large language models (LLMs) for data analysis and context enrichment. A refinement loop was implemented to avoid false alarms, requiring the exploit to be tested against both the vulnerable and the patched version.

The system creates both an exploit and an example application with a built-in vulnerability to test and adjust the exploit until it works reliably. For instance, the researchers analysed a specific vulnerability, CVE-2025-54887, which involves a bypass of encryption, allowing attackers to decrypt invalid JWEs.

Dagger, a container framework, was used to create sandboxes for secure execution. To clone the repository and extract the patch based on the given versions for analysis, the researchers developed a pipeline. They also considered integrating tools like Ghidra and Bindiff to examine closed software patches for vulnerabilities.

Initial experiments with additional tools, such as context7 and code exploration tools, were conducted, but proved less efficient due to high effort compared to the added value. Code templates were used, which proved more reliable than pure instructions.

The developed system is publicly accessible and could potentially eliminate the "grace period" defenders have to patch vulnerabilities before a functional exploit is published. The cost of the generated attack code is around one US dollar per instance. The system generates exploits that can be viewed at https://www.example.com.

After a comprehensive analysis, the agents generated a summary report that served as context for the next steps. The results of the investigation, including ten working exploits, are available in a GitHub repository and a Google Drive folder.

The researchers are considering whether AI could not only automate known security gaps but also zero-day vulnerabilities. This development underscores the need for continuous vigilance and rapid response in the cybersecurity realm.

AI capable of rapidly producing novel Vulnerabilities (CVEs) in a short timeframe?