Google finds AI‑crafted zero‑day exploit

Zero-days are the nightmare version of a software bug. Nobody knows the flaw exists yet, which means there is no patch, no signature, and often no obvious way to spot an attack early. Now Google says it has seen something new on top of that old problem — a threat actor using a zero-day exploit that Google believes was developed with AI assistance. That claim showed up in a Google Threat Intelligence Group report published on May 11, and it matters less as a one-off headline than as a sign that exploit development may be speeding up. ### What is a zero-day, exactly? A zero-day is a vulnerability defenders have had zero days to fix. If attackers find it first, they get a window where the target is exposed and the vendor is blind. That is why zero-days are prized in espionage and high-end cybercrime — they bypass the normal rhythm of patch Tuesday, antivirus updates, and known-bad indicators. ### What did Google actually say? Google did not say AI magically hacked a system by itself. The company said it identified a threat actor using a zero-day exploit that it believes was developed with AI. That wording matters. It points to AI-assisted exploit creation — not fully autonomous cyberwarfare — and Google framed it as the first time GTIG had identified that pattern in the wild. (cloud.google.com) ### Why is that different from normal AI cyber hype? Because this is not just AI writing phishing emails or cleaning up malware code. Exploit development is harder. An attacker has to understand a bug deeply enough to turn it into a reliable way into a target system. Microsoft has also been warning that newer models can discover weaknesses, chain smaller issues together, and generate proof-of-concept exploit code faster than human teams alone. (blog.google) ### So did AI find the bug too? Google’s public write-up, at least in the material it released this week, is careful on that point. It says the exploit was believed to be developed with AI, not necessarily that the underlying vulnerability was discovered by AI from scratch. That distinction is important — finding a bug and weaponizing a bug are related but different jobs. The second step is often what turns a security issue into an actual incident. (microsoft.com) ### Why does speed matter so much here? Because defense is already a race against time. GTIG tracked 90 zero-days exploited in the wild in 2025, up from 78 in 2024 and below the 2023 peak of 100, which means the overall pressure never really went away. If AI shortens the time from “interesting flaw” to “working exploit,” defenders lose breathing room at the exact moment they need it most. (cloud.google.com) ### Does this mean every hacker now has zero-days? Not instantly. High-quality zero-day exploitation still takes judgment, testing, and operational discipline. But the catch is that AI can lower the labor cost of the hardest parts — bug triage, code analysis, exploit iteration, and adaptation to new targets. That does not eliminate elite attackers. It may just make elite tradecraft easier to scale. That is the real shift security teams are worried about. (cloud.google.com) ### What should defenders take from this? The old model — wait for a patch, then clean up — looks weaker if attackers can move faster. Security teams need tighter asset inventories, shorter patch cycles, stronger isolation around exposed systems, and detection that looks for suspicious behavior instead of known malware alone. Google’s report is basically a warning that AI is moving from a support tool in cyber operations into part of the exploit pipeline itself. (cloud.google.com) ### Bottom line The important part is not that AI has become an all-powerful hacker. It hasn’t. The important part is that Google says AI has now crossed into one of the most valuable parts of offensive cyber work — building a zero-day exploit before defenders even know the hole exists. (blog.google) (cloud.google.com)