Google has confirmed the first real-world case of cyber criminals using AI to find and weaponise a zero-day vulnerability, The Register reported on May 11.

Google Threat Intelligence Group (GTIG) said in a report that a two-factor authentication (2FA) bypass bug in a popular open-source web-based management platform was abused by criminals planning a large intrusion campaign.

The attackers appear to have used an AI model to identify the vulnerability and turn it into a usable exploit. Google said it worked with the vendor to quietly apply a patch before the attack campaign escalated and may have blocked the attack in advance.

Google said Gemini and Anthropic Mythos were not used in the attack. It said the exploit itself was suspected to have been created by a machine.

Google said the exploit included tutorial-like document strings and coding structures in a Python script that appeared to resemble LLM training data.

GTIG senior analyst John Hultquist (존 헐트퀴스트) said, "There is a misconception that the AI vulnerability race is about to begin. The reality is that it has already begun."

Google said in its report that the zero-day case is part of a bigger trend. North Korean hacking group APT45 is using AI to process thousands of exploit checks and expand its toolkit, and China-linked state-backed hackers are testing AI systems for vulnerability discovery and automated target detection. Russia is carrying out influence operations that splice AI-generated audio into real news footage, the report said.

Google said the attack still appears to be in an early stage, and mistakes in implementing the exploit may have disrupted the criminals' plan this time. It said it is not known how long that will remain effective.