Google GTIG Confirms the First AI-Developed Zero-Day Used in the Wild

The Milestone Nobody Wanted to Reach

On May 11, 2026, Google's Threat Intelligence Group (GTIG) published what it describes as the first documented case of a criminal threat actor using AI to develop a working zero-day exploit that was intended for use in the wild. The exploit was a Python script that bypassed two-factor authentication on an unnamed but widely used open-source, web-based system administration tool. Anyone with valid credentials for an affected system could use it to defeat the 2FA gate entirely.

GTIG assesses that the group planned to use the exploit in a mass exploitation event. Google's own proactive counter-discovery work appears to have disrupted the campaign before it could be launched. The tool was not publicly named, which is the responsible choice while the vulnerability is being remediated, so this post deliberately does not speculate about which product it was.

This is not a "patch X by Friday" story. The vulnerability matters far less than what its discovery proves: the threat model that every infrastructure team has been planning around has already shifted.

Why a Scanner Would Never Have Caught This

The vulnerability was a logic flaw. A developer had hard-coded a trust assumption into the authentication flow. The code was functionally correct - it compiled, it ran, it passed tests - it was simply strategically broken. Under one specific condition, the authentication path treated a request as already trusted.

Traditional static analysis and vulnerability scanners are built to find code that is wrong: buffer overflows, injection sinks, unsafe deserialization, known-bad function calls. They are not built to find code that is right but reasoned incorrectly. A hard-coded trust assumption looks like normal, intentional code to a scanner because, mechanically, it is.

A large language model reads code the way a developer reviewing a pull request does. It follows the intent, not just the syntax, and it can recognise that "if this token exists, skip the password check" is a security decision with a flawed premise. That is exactly the class of semantic bug that has historically required a skilled human auditor and a lot of time. AI compresses both.

How GTIG Knew It Was AI-Built

The attacker did not announce the tooling. The exploit announced it for them. According to GTIG, the Python script carried the unmistakable fingerprints of LLM output:

• An abundance of educational docstrings explaining what each function did, in the tutorial register that models default to
• A hallucinated CVSS score for the vulnerability, invented and embedded in the code as if it were authoritative
• A polished, textbook Pythonic structure highly characteristic of LLM training data

In other words, the model wrote the exploit and then, by habit, signed it. The same training that makes models helpful for legitimate engineering leaves stylistic residue that is currently detectable. That detectability is a temporary advantage for defenders, not a permanent one.

This Is Not an Isolated Case

The single zero-day is the headline, but GTIG's broader reporting is the more important part. The group documented sustained, structured use of AI by multiple state and criminal actors:

• APT45 (North Korea) sending thousands of repetitive prompts that recursively analyse different CVEs and validate proof-of-concept exploits, building an arsenal of exploit capability at a scale that would be impractical to manage by hand.
• A China-linked group using expert-persona jailbreaking against Gemini, posing as security researchers to extract remote-code-execution research on router firmware.

These are not experiments. They are workflows. The recursive-prompting pattern in particular is significant: it turns a model into a tireless junior researcher that never stops grinding through CVE backlogs looking for the next weaponizable primitive.

The Quote That Should Reset Your Planning

John Hultquist, chief analyst at GTIG, put it plainly in the statement accompanying the report:

"There's a misconception that the race to AI vulnerabilities is imminent. The reality is it has already started."

He added that for every zero-day that can be traced back to AI, there are likely many more that cannot. The detection signals described above - the docstrings, the hallucinated scores - are the exploits that were sloppy enough to catch. The careful ones do not carry a signature.

What This Actually Changes for Infrastructure Teams

Nothing about this requires panic, and none of it is a reason to distrust AI tooling - defenders are using the same capability, and should be. What it requires is an honest update to a few planning assumptions:

1. Patch windows are now adversarially short. We have already written about this month's compressed disclosure-to-exploit timelines. AI-assisted exploit development shortens the attacker side of that race too. A logic flaw in your stack is now findable by a machine that does not get bored.
2. Logic flaws deserve real review budget. Scanners remain necessary and insufficient. The bugs that AI finds best - semantic, intent-level mistakes in auth and trust boundaries - are precisely the ones automated tooling on the defensive side also misses. Human-led design review of authentication and authorization flows is no longer optional polish.
3. Credential hygiene is load-bearing. The GTIG exploit required valid credentials to reach the 2FA bypass. Every layer that assumes "they will not get this far" is exactly the layer an AI-found logic flaw is built to collapse, as the recent patch-spawned kernel escalations also demonstrated.

The defensive takeaway is not "AI is dangerous." It is that the cost of finding a certain class of vulnerability just dropped by an order of magnitude for everyone, including the people you do not want finding them first. Plan as though that is true, because it now is.

Sources

The primary source is the Google Threat Intelligence Group report, Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access, published May 11, 2026. The findings and the John Hultquist statement were independently reported by CNBC, The Register, The Hacker News, and Cybersecurity Dive. GTIG did not publicly name the affected administration tool; this post does not speculate on its identity.

Our team tracks AI-accelerated threat trends and handles authentication-flow review and CVE remediation across managed infrastructure as part of our security and compliance service. If you want an independent review of your authentication and trust boundaries, get in touch.