Advertisement
Security

Automated Zero-Day Discovery via AI

Researchers are moving beyond theoretical AI capabilities, building automated pipelines to find live vulnerabilities in software.

··2 hours ago·2 min read
a computer monitor with a lot of code on it
Photo by Steve A Johnson on Unsplash
Advertisement

The discourse surrounding artificial intelligence in security research has long been dominated by speculative projections. Rather than contemplating what future models might eventually achieve, the engineering team at Intruder sought to determine the current practical utility of existing large language models in uncovering exploitable vulnerabilities within production environments.

The Problem of Contextual Noise

Integrating AI with traditional code scanning often leads to a failure in focus. When models are tasked with analyzing massive codebases, they are forced to ingest extraneous data, which depletes token limits and obscures actual security flaws. This massive input often forces models to operate within a diluted context, rendering the discovery of complex, multi-step vulnerabilities nearly impossible.

To overcome this, the team implemented a method derived from program slicing. By leveraging established tools to isolate specific segments of code, the researchers ensured that the AI only evaluated relevant function call chains. This approach mirrors how integrated development environments handle call graphs, allowing the model to function with precision rather than searching through irrelevant noise.

A Pipeline for Automated Exploitation

The research team constructed a multi-stage pipeline designed to process code, generate relevant slices, and triage findings using LLMs. By targeting the top 200 WordPress plugins, the researchers tested whether their automated process could successfully identify bugs in code that had already been extensively scrutinized by human bug bounty hunters.

The workflow utilizes specific rules to identify REST routes, template hooks, and unauthenticated AJAX calls. After Joern performs an initial scan to flag interesting patterns, a lightweight model filters out benign hooks. A more powerful model, Opus, then conducts an exploitability assessment using the isolated code context. Any confirmed vulnerabilities are passed to an exploitation agent, which utilizes a Docker container to verify the proof-of-concept.

AI clearly has a growing role to play in vulnerability research, and the work now is building the frameworks to get the most out of current models. Attackers are already using similar tooling to feed AI high-signal input, which means the same speed advantage we've demonstrated here isn't unique to defenders.

— Sam Pizzey, Security Engineer at Intruder

Discovery and Real-World Impact

The pipeline successfully identified CVE-2026-3985, a critical SQL injection vulnerability found in the Creative Mail plugin. This flaw was particularly significant because it required chained requests for exploitation and bypassed the developer's internal static analysis tools. While the vulnerability was also identified by Dmitrii Ignatyev of CleanTalk Inc., the automated system demonstrated the ability to generate a full extraction method to pull database password hashes without human intervention.

  • 300,000 users were impacted by the WordPress plugin containing the zero-day.
  • 7 million active installs exist for WooCommerce, increasing the potential attack surface.
  • 200 WordPress plugins were analyzed in the initial experiment.

The Escalating Speed of Discovery

The success of this automated pipeline signals a shift in the security landscape where discovery speed is rapidly accelerating. As these methods become more accessible, the barrier to identifying complex, multi-stage vulnerabilities is being lowered. For organizations, this underscores the necessity of maintaining robust, automated detection capabilities that can identify these flaws as quickly as they are being surfaced by AI-driven research, regardless of whether that research is being conducted by security professionals or malicious actors.

#artificial intelligence#vulnerability research#cybersecurity#sql injection#wordpress

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement