AI Vending Machine Spits Out Zero-Day Exploits Automatically

ยท
Listen to this article~5 min

Security researchers built an AI-powered vulnerability vending machine that automatically discovers zero-days. It already found a WordPress plugin exploit and is uncovering more bugs through responsible disclosure.

What if you could drop a few AI tokens into a machine and get a zero-day vulnerability back? That's exactly what security researchers at Intruder have built. They call it a "vulnerability vending machine," and it's already found real exploits in the wild. This isn't science fiction. The system combines code slicing with large language models (LLMs) to automatically discover complex software vulnerabilities. And it worked. The team used it to find and exploit a previously unknown WordPress plugin zero-day. They've already disclosed several more findings to vendors through responsible disclosure. ### How the Vulnerability Vending Machine Works The magic happens in two stages. First, the system uses code slicing to break down software into manageable chunks. Think of it like a chef carefully cutting ingredients before cooking. Each slice isolates specific code paths that could hide security flaws. Then comes the AI part. LLMs analyze these code slices looking for patterns that indicate vulnerabilities. The AI doesn't just guess. It reasons through the code like a human security researcher would, but at machine speed. This combination lets it find bugs that traditional automated scanners miss. ### Real-World Results: A WordPress Plugin Zero-Day The team put their machine to the test against a popular WordPress plugin. Within hours, the system identified a critical vulnerability that could let attackers take over websites. The exploit chain was complex enough that manual review would have taken days or weeks. - The AI found the initial entry point in less than 30 minutes - It mapped the full exploit path in under 2 hours - The team verified and reported the zero-day within a single workday This isn't just about finding bugs. It's about finding bugs that matter. The WordPress plugin in question has over 100,000 active installations. That's a lot of potentially vulnerable websites. ### Why This Changes the Game for Security Research Traditional vulnerability research is slow. A skilled human might find one or two zero-days per month. This machine can potentially find dozens in the same timeframe. That's a massive shift in the security landscape. But there's a catch. The same technology that helps defenders find bugs can also help attackers. Bad actors could use similar systems to discover exploits faster than ever before. The security community needs to stay ahead of this curve. ### Responsible Disclosure: The Right Way to Handle Discoveries Intruder is handling their findings responsibly. They've already contacted the WordPress plugin developer and are working through the disclosure process. This gives vendors time to patch before attackers can exploit the vulnerabilities. The team emphasizes that they're not just finding bugs for fun. They want to make the internet safer. Their disclosure process follows industry best practices, giving developers 90 days to fix issues before public disclosure. ### What This Means for Your Security Strategy If you run WordPress sites, this should be a wake-up call. Plugin vulnerabilities are a top attack vector. The fact that AI can now find them automatically means you need to stay on top of updates more than ever. - Keep all plugins updated to the latest versions - Remove unused plugins entirely - Use a web application firewall for extra protection - Consider a vulnerability scanner that uses AI-powered detection The days of relying solely on manual security audits are ending. Automated systems like this vending machine are becoming the new normal. The question isn't whether AI will find your vulnerabilities. It's whether you'll fix them before someone exploits them. ### The Future of Automated Vulnerability Discovery This technology is just getting started. As LLMs improve and code slicing techniques become more sophisticated, we'll see even more powerful vulnerability hunting machines. The security industry needs to embrace these tools while also addressing the ethical implications. For now, the vending machine is a proof of concept. But it's a powerful one. It shows that AI can do more than just write code. It can find the flaws in code too. And that changes everything about how we think about software security.