Google Found the First AI-Written Zero-Day in the Wild. A Made-Up Score Gave It Away.

An invented severity score gave the attack away

On Monday, May 11, 2026, Google's Threat Intelligence Group (GTIG, the company's in-house team that tracks state and criminal hackers) disclosed something it had never reported before. A real attacker, operating in the wild, used a zero-day exploit that Google assessed with high confidence was written by an artificial intelligence model. A zero-day is a flaw the software vendor does not yet know about, so there is no patch and no warning.

The exploit was built for a mass attack. Google spotted it, worked with the vendor to quietly fix the hole, and the campaign appears to have been disrupted before it could launch. The detail that matters for everyone watching is not the patch. It is what the AI got wrong, and what that says about how fast this is moving.

What Google found

The target was a popular open-source, web-based system administration tool, the kind of dashboard IT teams use to manage servers. Google did not name it. The exploit was a Python script that bypassed the tool's two-factor authentication (2FA, the second login step such as a code from an app). The underlying bug was a semantic logic flaw: the software made a hard-coded trust assumption, treating one part of the login as already proven when it was not. That class of mistake is subtle, easy for a human to skim past, and exactly the kind of pattern a large language model is good at reading out of source code.

So how did Google know an AI wrote it? The script gave itself away. It was stuffed with tidy educational comments, used a textbook-clean structure, and, most tellingly, carried a CVSS score (the standard 0 to 10 severity rating for a vulnerability) that the model had simply invented. The rating it cited does not exist. A human exploit author does not hallucinate a severity score. A language model, asked to document its own work, does.

• GTIG called this the first in-the-wild case of AI used maliciously to both find and weaponize a vulnerability, not just to write phishing or run reconnaissance.
• The 2FA bypass still needed valid stolen credentials to work, which is why it was paired with a planned mass-exploitation campaign rather than a single targeted break-in.
• Google found no evidence its own Gemini model produced this exploit, only that some AI system did.

Why the timeline is the real story

The concrete outcome here was a near miss. A criminal crew had a working weapon aimed at every organization running one widely used admin tool, and a fix landed before the wave hit. But read what the near miss implies. The hardest, most expensive part of offensive hacking has always been discovering a novel flaw and turning it into reliable, working code. That is the work that separated elite attackers from everyone else, and it is the part an AI just did. If your organization runs open-source infrastructure anywhere in its stack, and almost every organization does, the window between a bug existing and a weaponized exploit reaching your perimeter is closing. Ryan Dewhurst of the security firm watchTowr put it plainly: discovery, weaponization, and exploitation are all getting faster, and defenders do not get to opt out. The systemic shift is a compression of time. Patch cycles measured in weeks were already uncomfortable. Against an attacker who can ask a model to find and arm a flaw over a weekend, weeks is a losing pace.

What to do about it

1. Shrink your patch window for internet-facing admin tools. Prioritize anything that exposes a login to the public internet, because those are the first targets of a mass campaign and the first place a fast AI-found bug will be pointed.
2. Do not let 2FA be the only gate on a credential. This exploit worked because a stolen password plus a flawed second step was enough, so add phishing-resistant logins (passkeys or hardware keys built on the FIDO standard) and watch for password reuse, following CISA's phishing-resistant MFA guidance.
3. Assume faster exploitation and monitor for it. Treat a newly disclosed flaw in your stack as already weaponized, and tune detection on admin tools to flag unusual logins and changes to 2FA settings, because the gap between disclosure and attack is now too short to wait out.

Bottom line

The headline is not that an AI can write code. It is that an AI found a real flaw in real software, wrote a working exploit for it, and a criminal group nearly used it at scale. The slip that exposed the operation, a made-up severity score, will not save defenders next time, because sloppiness is the quality problem the next model fixes. What does not change is the arithmetic. The cost of finding and weaponizing a vulnerability just fell, and the time you have to patch fell with it. Bring one question to your next security review. For the internet-facing tools you depend on, how fast can you actually patch, and is that fast enough for an attacker who no longer has to be brilliant, only quick?