AI Systems Accelerate Exploitation of Vulnerabilities: How to Adapt Protection

A study conducted by University of Illinois researchers found that the GPT-4 AI model can exploit 87% of known vulnerabilities when provided with CVE descriptions. Without such data, its effectiveness drops to 7%. However, the emergence of Claude Mythos Preview has changed the landscape: it has learned to independently discover zero-day vulnerabilities, nullifying the advantages of traditional defensive systems. In tests, Mythos replicated 83.1% of vulnerabilities from the CyberGym benchmark, with the cost of a single attack on OpenBSD amounting to less than $20.

The speed of vulnerability exploitation has reached critical levels. For instance, the CVE-2026-33017 vulnerability (CVSS 9.8) in Langflow was attacked within 20 hours of publication, while CVE-2026-39987 (CVSS 9.3) in Marimo was exploited in just 9 hours and 41 minutes. According to a Rapid7 report, the median time from CVE publication to inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog is five days, but attacks begin even before patches are released. This shatters traditional notions of patch window security.

Experts recommend moving away from prioritizing vulnerabilities based solely on CVSS and adopting a three-layered filtering approach: considering CISA KEV status, Exploit Prediction Scoring System (EPSS) metrics, and CVSS. This method improves efficiency by 1800% and covers 85.6% of exploited vulnerabilities. It is also critical to automate patching processes for mission-critical services, test authorization boundaries at the AI agent level, and map vulnerabilities for all AI development tools such as Langflow, Flowise, and n8n.

Security standards for AI agents are still under development. Projects like IETF’s draft-klrc-aiagent-auth-01 propose using SPIFFE and OAuth 2.0 for dynamic issuance of short-term credentials. However, until these are implemented, companies must independently adapt their defenses to keep pace with attack speeds measured not in days, but in hours.