Google Warns Hackers Are Using AI to Find Security Flaws Traditional Scanners Miss

The discovery of an AI-assisted zero-day exploit marks a new phase in cybercrime, where attackers are beginning to use machine reasoning to identify logic flaws hidden from conventional security tools.

Tech_28052026 — AI Finds the Hidden Flaw

Google has warned that hackers are now using artificial intelligence to discover and weaponize security vulnerabilities that traditional automated scanners are unlikely to detect, raising concerns that AI is beginning to change the economics of cyberattacks.

The warning came from Google’s Threat Intelligence Group, which said it had identified what it believes is the first known case of a threat actor using an AI-developed zero-day exploit. The vulnerability was found in a popular open-source, web-based system administration tool and could allow attackers to bypass two-factor authentication, provided they already had valid user credentials. Google said the criminal group planned to use the flaw in a mass exploitation campaign, but its proactive detection and disclosure to the vendor helped disrupt the operation.

The case is significant because the flaw was not the kind of bug that ordinary scanners are built to catch. Google said the weakness stemmed from a high-level logic error: a hardcoded trust assumption inside the software’s authentication flow. Static analysis tools and fuzzers are designed to detect crashes, unsafe input handling or memory corruption, but they often miss vulnerabilities that require understanding what the developer intended the system to do.

That is where modern AI systems may give attackers a new advantage. Large language models can read code contextually, compare different parts of a program and identify contradictions in business logic. In this case, Google said the exploit’s structure showed signs of AI involvement, including unusually educational documentation, a hallucinated severity score and a clean, textbook-style Python format characteristic of model-generated code.

The discovery marks a turning point in cybersecurity. For years, AI has been discussed mainly as a defensive tool, helping companies detect malware, analyze suspicious behavior and patch vulnerabilities faster. But Google’s report shows that the same capabilities are now being adopted by cybercriminals and state-linked groups to accelerate vulnerability research, automate reconnaissance and improve exploit development.

Google said it has observed growing interest in AI-assisted vulnerability discovery from threat actors linked to China and North Korea, while cybercriminal groups are also experimenting with the technology. Some actors have used “expert persona” prompts to make AI models behave like senior security auditors or binary exploitation specialists, while others have fed models large collections of historical vulnerabilities to improve their ability to detect similar weaknesses in new code.

The danger is not that AI instantly makes every hacker elite. Rather, it lowers the barrier to complex work. Tasks that once required a skilled vulnerability researcher — reading source code, tracing authentication logic, writing proof-of-concept scripts and refining payloads — can now be accelerated by AI systems. That makes attacks cheaper, faster and potentially easier to scale.

The concern extends beyond vulnerability discovery. Google’s report also described AI-assisted malware development, defensive evasion and autonomous malware operations. It cited examples of malware families using AI to modify code dynamically, generate obfuscation techniques or interpret infected systems in order to decide what commands to run next.

At the same time, Google emphasized that AI is also becoming a powerful tool for defenders. The company said it uses AI agents such as Big Sleep to identify vulnerabilities and has been experimenting with AI systems capable of automatically fixing critical code flaws. In other words, the cybersecurity race is becoming an AI contest on both sides: attackers are using models to find weaknesses, while defenders are using them to detect, patch and disrupt attacks faster.

The broader implication is that companies can no longer rely only on conventional scanning tools. Automated scanners remain useful, but they are less effective against semantic vulnerabilities — flaws rooted in flawed assumptions, inconsistent authorization logic or business-rule contradictions. These weaknesses may look technically correct while still being strategically exploitable.

Security teams will therefore need to expand their approach. Code reviews, threat modeling, red-team exercises and AI-assisted defensive analysis are likely to become more important, especially for authentication systems, administrative dashboards and widely used open-source tools.

The warning also raises questions for AI companies and regulators. If advanced models can help identify subtle vulnerabilities, developers of AI systems will face growing pressure to prevent misuse without blocking legitimate security research. Google said malicious actors are already experimenting with ways to obtain high-volume, anonymized access to premium AI models through proxy services, account pooling and automated registration pipelines.

The incident does not mean AI has made cyberdefense impossible. But it does show that the threat landscape is changing quickly. Attackers are beginning to use AI not just to write phishing emails or automate scripts, but to reason through software architecture and uncover flaws that humans and scanners may miss.

For governments, companies and software maintainers, Google’s message is clear: the age of AI-assisted hacking has arrived. The organizations that adapt their defenses fastest will be better positioned to survive it.