AI Just Discovered a Zero-Day Without Human Help: The Future of Vulnerability Research Has Already Arrived + Video

Listen to this Post

Featured ImageIntroduction: AI Is No Longer Predicting the Future of Cybersecurity, It Is Actively Shaping It

For years, discussions around artificial intelligence in cybersecurity have focused on potential rather than reality. Security professionals debated whether AI would eventually replace vulnerability researchers, automate penetration testing, or discover zero-day exploits faster than humans. Those conversations often remained theoretical because the available models lacked the reasoning capabilities needed for complex security analysis.

That landscape is rapidly changing.

A recent experiment by security researchers at Intruder demonstrates that modern Large Language Models (LLMs), even without next-generation reasoning models like Mythos, are already capable of discovering real-world vulnerabilities completely autonomously. Their research showcases an AI-driven vulnerability hunting pipeline that identified and successfully exploited a previously unknown SQL injection vulnerability inside a popular WordPress plugin used by more than 300,000 websites.

Rather than replacing human expertise, this breakthrough reveals something even more significant: AI has become a force multiplier capable of accelerating vulnerability discovery at a speed that traditional security research cannot easily match. As defenders gain access to these tools, attackers are likely doing the same, creating an entirely new phase in the cybersecurity arms race.

The Shift from AI Theory to Real-World Vulnerability Hunting

Artificial intelligence has already transformed numerous industries, but cybersecurity presents unique challenges.

Unlike image recognition or language generation, vulnerability research requires understanding thousands of interconnected functions, tracing data flows across applications, identifying unsafe assumptions, and chaining multiple weaknesses into a working exploit.

Until recently, this remained largely outside the capabilities of language models.

Intruder’s research set out to answer a practical question:

Can

The answer appears to be yes.

Instead of relying on future AI breakthroughs, the researchers built an automated pipeline using today’s commercially available language models together with established code analysis technologies.

The result was the discovery of a genuine zero-day vulnerability.

Why Simply Feeding an Entire Codebase to AI Fails

One of the biggest misconceptions surrounding AI code analysis is that developers can simply upload an entire software repository and ask an LLM to identify vulnerabilities.

Reality is much more complicated.

Modern software projects often contain thousands of files.

Attempting to process every source file introduces several major problems:

Massive token consumption

Context window limitations

Irrelevant code overwhelming useful information

Reduced reasoning accuracy

Loss of relationships between critical functions

Large language models excel when analyzing focused pieces of code.

However, once excessive unrelated context is introduced, the quality of analysis drops dramatically.

Finding a complex vulnerability often requires understanding only a tiny fraction of the application.

Everything else becomes distraction.

A Smarter Approach: Program Slicing Instead of Full Code Analysis

Rather than forcing AI to read an entire application, Intruder developed an intelligent preprocessing pipeline.

Instead of analyzing complete repositories, the system creates what researchers call a program slice.

A program slice contains only the functions, methods, and execution paths directly related to a potentially vulnerable operation.

This dramatically reduces irrelevant information while preserving every function needed for AI reasoning.

The concept resembles IDE features such as:

Find Implementation

Call Graph Analysis

Function Tracing

Language Server Protocol (LSP) dependency mapping

Traditional static analysis tools already perform these tasks efficiently.

The innovation lies in combining those mature technologies with LLM reasoning.

Building an Autonomous Vulnerability Discovery Pipeline

The research pipeline consists of several independent stages that together perform fully automated vulnerability research.

The process begins with Joern, a Code Property Graph (CPG) analysis framework widely respected in security research.

Joern scans the entire codebase looking for patterns that may indicate dangerous behavior.

Instead of searching only for confirmed vulnerabilities, the engine intentionally produces a large number of suspicious findings.

False positives are acceptable because AI performs later filtering.

This allows broader coverage without missing subtle bugs.

Finding Every Possible Attack Surface

For this experiment, researchers focused specifically on unauthenticated WordPress attack surfaces.

Joern searched for every location where user-controlled input could reach application logic.

These included:

REST API endpoints

AJAX handlers

Public hooks

Template functions

WordPress actions

External request handlers

Every discovered entry point became a candidate for deeper investigation.

Filtering Safe Code Before AI Gets Involved

Not every suspicious function represents an actual security issue.

Basic taint analysis removes obviously safe execution paths.

If user input passes through trusted sanitization routines or validated security controls, those slices are discarded before reaching the language model.

This significantly improves efficiency while reducing unnecessary AI computation.

Using Multiple AI Models for Different Tasks

Rather than relying on one giant language model, Intruder employed multiple specialized agents.

The first lightweight model performs rapid triage.

Its responsibilities include:

Removing harmless findings

Ignoring expected public endpoints

Filtering low-risk functions

Ranking suspicious behaviors

Only the most promising code slices move forward.

A larger reasoning model then performs deeper exploitability analysis using the complete execution context.

Because the model receives only relevant code, it avoids wasting reasoning power on unrelated files.

The Final Stage: Autonomous Exploitation

Once AI determines that a vulnerability appears exploitable, another autonomous agent begins constructing an actual exploit.

Unlike earlier stages, this agent gains controlled access to:

Full source code

Targeted searches

Docker testing environments

Runtime validation

Instead of merely suggesting a theoretical vulnerability, the system attempts to create a functioning proof-of-concept exploit.

This moves beyond vulnerability detection into fully automated offensive security research.

The First Discovery: CVE-2026-3985

The first vulnerability uncovered by the pipeline became CVE-2026-3985.

Researchers identified a blind SQL injection affecting the Creative Mail WordPress plugin.

The plugin had accumulated over 300,000 installations, making the discovery particularly significant.

Although exploitation requires WooCommerce to also be installed, WooCommerce itself powers millions of WordPress websites worldwide, making the vulnerable combination relatively common.

Understanding the SQL Injection

SQL injection remains one of the most dangerous web application vulnerabilities.

When user input reaches database queries without sufficient protection, attackers can manipulate SQL statements.

Successful exploitation may allow attackers to:

Read confidential database records

Extract administrator password hashes

Steal authentication tokens

Obtain API credentials

Escalate privileges

Move laterally throughout an application

The discovered vulnerability required multiple carefully chained requests, making detection significantly more difficult than traditional SQL injection flaws.

A Hidden Development Mistake

One particularly interesting aspect of this vulnerability was that the application’s own static analysis tools failed to detect it.

A subtle coding mistake obscured the vulnerable execution path.

Human researchers might eventually discover such flaws after extensive manual auditing.

The AI pipeline located it automatically.

AI Successfully Generated a Working Exploit

Perhaps the most remarkable achievement

The exploitation agent successfully generated:

A proof-of-concept exploit

Validation logic

Database extraction procedures

Password hash retrieval methods

All without human intervention.

This demonstrates that modern AI can already automate portions of penetration testing previously considered dependent upon expert researchers.

Responsible Disclosure Remains Critical

Researchers responsibly disclosed the vulnerability.

The issue was independently discovered by another researcher from CleanTalk Inc. and reported through Wordfence.

Following disclosure, the affected plugin was removed from the official WordPress repository pending security review and patch development.

This highlights that responsible disclosure remains essential even as AI accelerates vulnerability discovery.

Why This Matters Beyond One WordPress Plugin

This research is not important because of a single SQL injection.

Its significance lies in proving an entirely new research methodology.

Traditional vulnerability discovery often requires:

Manual auditing

Reverse engineering

Deep software knowledge

Significant engineering time

AI now performs portions of this process automatically.

As these systems mature, researchers may investigate thousands of software projects simultaneously.

That fundamentally changes software security economics.

Deep Analysis: AI-Powered Vulnerability Research and Offensive Security Commands

The techniques demonstrated by Intruder combine static analysis with automated exploit development. Security researchers commonly use the following tools and commands during authorized security assessments to identify data flows, inspect code, and validate findings. These examples are intended for defensive research and testing in controlled environments.

Analyzing Source Code with Joern

joern-parse .
joern
importCode("project")

Generating a Code Property Graph

joern-export --repr cpg

Searching for SQL Query Functions

scala

cpg.call.name(.query.).l

Finding User-Controlled Input

scala

cpg.method.name(.ajax.).l

Tracing Function Calls

scala

cpg.call.callee.l

Scanning a WordPress Installation

wpscan --url https://target-site.com

Running Static Analysis

semgrep scan .

Launching a Local Docker Test Environment

docker compose up -d

Inspecting HTTP Requests

curl -X POST http://localhost/wp-admin/admin-ajax.php

Monitoring SQL Queries

mysql -u root -p
SHOW PROCESSLIST;

Reviewing Application Logs

tail -f /var/log/apache2/access.log

Searching for Unsanitized Variables

grep -R "\$_POST" .

grep -R \$_GET .

Validating WordPress Plugins

wp plugin list

These tools illustrate how traditional static analysis can be combined with AI-assisted reasoning to streamline vulnerability research. While automation can significantly improve efficiency, every discovered issue should still undergo responsible verification and disclosure before public release.

What Undercode Say:

Artificial intelligence has officially crossed an important milestone in cybersecurity. This research proves that AI is no longer just assisting developers by generating code or explaining vulnerabilities. It is actively participating in vulnerability discovery, exploit development, and security validation.

The most impressive aspect of this project is not that an AI found SQL injection. Static analyzers have located similar flaws for years. The real breakthrough is the orchestration of multiple intelligent stages that mimic the workflow of experienced penetration testers.

The use of program slicing is arguably more valuable than the language models themselves. By dramatically reducing contextual noise, the researchers solved one of the biggest weaknesses of modern LLMs. Instead of making models larger, they made their input smarter.

This approach represents a shift from brute-force AI reasoning toward context-aware security engineering.

Attackers are almost certainly experimenting with comparable pipelines.

Unlike human researchers, automated systems never become tired, never lose focus, and can continuously scan thousands of repositories around the clock.

Organizations should assume that vulnerability discovery timelines will continue shrinking.

Software vendors may soon face zero-day discoveries within days of releasing new code.

Traditional annual penetration testing will increasingly become insufficient.

Continuous AI-assisted security validation is likely to become the new industry standard.

Defensive security platforms must evolve at the same pace.

Static analysis alone is no longer enough.

Dynamic analysis alone is no longer enough.

Manual penetration testing alone is no longer enough.

Future security strategies will combine:

Static code analysis

Runtime analysis

AI reasoning

Autonomous exploit validation

Continuous deployment security

Automated patch verification

Another important takeaway is the modular design of Intruder’s pipeline.

Rather than expecting a single AI model to perform every task, specialized agents each solve a narrow problem.

This architecture resembles modern distributed systems more than traditional AI workflows.

It is scalable.

It is efficient.

Most importantly, it reflects how experienced security teams already operate.

As reasoning models continue improving, fewer false positives should remain.

Multi-stage vulnerabilities that once required weeks of investigation may soon be discovered in hours.

Security researchers will shift from manually finding vulnerabilities toward supervising autonomous research systems.

The cybersecurity workforce is unlikely to disappear, but its role will evolve dramatically.

Experts will increasingly focus on validating AI findings, coordinating responsible disclosure, and designing stronger defensive architectures.

This research also serves as a warning for organizations relying solely on legacy vulnerability scanners.

Traditional signature-based detection cannot keep pace with AI-generated attack discovery.

Companies should invest in secure development practices, continuous code review, automated testing, and rapid patch management before adversaries fully weaponize these capabilities.

The race is no longer between hackers and defenders alone.

It is becoming a race between autonomous security systems on both sides.

✅ Verified: Intruder publicly described an AI-assisted vulnerability research pipeline that combines static code analysis with large language models to discover and validate software vulnerabilities.

✅ Verified: The disclosed vulnerability, CVE-2026-3985, affected the Creative Mail WordPress plugin and involved a blind SQL injection requiring specific deployment conditions, including the presence of WooCommerce.

✅ Verified with Context: The article accurately demonstrates that current AI models can significantly assist vulnerability research. However, the success depended on a carefully engineered pipeline using static analysis, program slicing, and automated testing—not on a standalone language model analyzing an entire codebase by itself.

Prediction

(+1) AI-assisted vulnerability research platforms will become a standard component of enterprise Secure Development Lifecycle (SDLC) pipelines, allowing organizations to identify complex vulnerabilities before software reaches production.

(-1) Cybercriminal groups will increasingly adopt similar AI-driven workflows to automate zero-day discovery, reducing the time between software releases and real-world exploitation, thereby intensifying pressure on vendors to deliver continuous security updates rather than periodic patches.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube