Google Detects First AI-Weaponized Zero-Day Bypassing 2FA

Google’s Threat Intelligence Group (GTIG) released its AI Threat Tracker report on May 11, 2026, revealing the first confirmed case of a cybercriminal campaign relying on an AI model to discover and weaponize a zero-day vulnerability.

The exploit—a Python script capable of bypassing two-factor authentication (2FA) on an open-source web-based administration tool—was intercepted and blocked before reaching the stage of mass exploitation.

The significance of the discovery lies not in the complexity of the code, but in its signature: a pedagogical structure, educational docstrings, and an invented CVSS score. These elements betray the use of an AI model as a supporting tool, signaling that the offensive AI arms race has moved into active territory.

Identifying AI-Generated Exploits

GTIG’s analysis of the payload identified stylistic anomalies rarely seen in code manually developed by traditional threat actors. The Python file featured overly descriptive docstrings, detailed help menus, and an ANSI color class formatted in a textbook "Pythonic" style—markers typical of the training datasets used for Large Language Models (LLMs). While harmless in isolation, these elements represent a major inconsistency in an offensive context: malware code is typically lean, obfuscated, and devoid of educational commentary.

The most telling signature, however, was a self-assigned and "hallucinated" CVSS score embedded directly into the source code. The value did not correspond to standard calculations, suggesting the author requested a risk assessment from the model and accepted the output without human verification. For defenders, these patterns are becoming new indicators of compromise: a payload that appears too "clean" or pedagogical may signal an AI origin more effectively than behavioral signatures.

"There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there" — Chief analyst at GTIG

The Bypass Mechanism: Logic Flaws vs. Hardcoded Trust

Technically, the exploit does not target memory corruption or input validation bugs. Instead, it exploits an authorization logic flaw. The targeted open-source tool contained an ineffective hardcoded trust assumption: an implicit developer belief that certain workflows were secure simply because they were positioned behind an authentication layer. Using valid credentials already in their possession, the attacker used the Python script to correlate 2FA enforcement logic with these hardcoded exceptions, effectively bypassing the check.

According to GTIG researchers, the critical factor is the model's capacity for contextual reasoning: "Though frontier LLMs struggle to navigate complex enterprise authorization logic, they have an increasing ability to perform contextual reasoning, effectively reading the developer’s intent to correlate the 2FA enforcement logic with the contradictions of its hardcoded exceptions," the report states.

This approach shifts the attack surface. Dormant logic flaws, often invisible to traditional SAST and DAST scanners, are now accessible to models that read source code like natural language. For vendors, the takeaway is clear: hardcoded assumptions now require dedicated review, as an LLM can identify and weaponize them far faster than a human analyst.

Why Google Ruled Out Gemini While Confirming AI Use

In the report, Google explicitly states it does not believe its own Gemini model was used in the discovery or weaponization phases. However, the structure and content of the code provide high confidence that the actor relied on an external AI model. "Although we do not believe Gemini was used, based on the structure and content of these exploits, we have high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability," the document reads.

The exclusion of Gemini is more than a marketing detail; it emphasizes that the threat is not tied to a single provider or proprietary model. The actor could have utilized open-source tools, third-party commercial APIs, or self-hosted models. The remaining unknown is the degree of human supervision—while the report doesn't clarify if an operator simply pasted AI output or orchestrated the flow, the phrasing "likely leveraged" suggests active support rather than fully autonomous creation.

Strategic Recommendations

For vendors of web-based open-source tools, the priority is eliminating hardcoded trust assumptions from authorization logic. Because these flaws evade traditional automated scanners, manual reviews of multi-level authentication flows are now mandatory. An LLM with valid credentials can exploit these inconsistencies to bypass 2FA in a very short timeframe.

Threat intelligence teams should update detection signatures to include AI stylistic indicators: textbook-style ANSI classes, educational docstrings, and self-assigned CVSS scores in offensive payloads. Furthermore, Red Teams and researchers must integrate LLMs into security testing cycles to anticipate how models might "read" developer intent to find hardcoded contradictions within their own codebases.

The Front Line: From Memory Bugs to Logic Flaws

The GTIG discovery shifts the defensive focus. The question is no longer just whether code contains a buffer overflow, but whether its authorization logic hides an intent that is more legible to a model than to a human auditor. While LLMs have not yet mastered sophisticated memory corruption exploits, they demonstrate a growing proficiency in contextual reasoning regarding business logic. For organizations relying on open-source web tools, this expands the attack perimeter to applications previously considered stable because they lacked "classic" bugs.

The GTIG case does not support the narrative of an omnipotent AI, but rather demystifies it: the code was caught specifically because the user left obvious AI fingerprints. However, it provides the first concrete evidence of a language model assisting the cycle from discovery to weaponization, lowering the barrier for actors who previously lacked the resources to find zero-days. Defending the perimeter now requires looking not just at the vulnerable code, but at the logic used to attack it.

Questions & Answers

Did this zero-day result in real-world victims?

No. Google collaborated with the vendor to patch the vulnerability and disrupt the campaign before the exploit reached mass distribution. Additionally, the attack required valid user credentials to function, which limited the potential for widespread compromise.

Why did security scanners fail to detect the flaw?

The vulnerability was an authorization logic flaw, not a standard memory corruption or input validation error. Hardcoded trust assumptions do not typically trigger traditional static or dynamic analysis alerts and require manual business logic reviews to identify.

Have analysts identified which AI model was used?

No. While Google has high confidence that Gemini was not involved, the specific model remains unknown. For security reasons, the GTIG report also omitted the names of the cybercriminal group and the targeted open-source tool.

Information verified against cited sources and updated at the time of publication.

Sources

• https://www.infosecurity-magazine.com/news/hackers-using-ai-zero-day-first/
• https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/
• https://www.csoonline.com/article/4169046/google-discovers-weaponized-zero-day-exploits-created-with-ai.html