For the past year, security researchers have been warning that AI would eventually be used to find and exploit software vulnerabilities faster than humans can. Last week, Google confirmed it’s happening.

What Google found

On May 11, Google’s Threat Intelligence Group (GTIG) published a report identifying what they say is the first confirmed case of a threat actor using AI to develop a zero-day exploit. The target was a popular open-source web administration tool used by organizations worldwide.

The exploit bypassed the tool’s two-factor authentication. Google caught it before it was used at scale, but the code was functional and ready for deployment.

How did Google know AI was involved? The exploit code had telltale signs: educational-style comments throughout the script, a hallucinated CVSS severity score (a scoring system the AI apparently made up a value for), and a textbook Python structure that’s characteristic of large language model output. Google says they have “high confidence” the adversary used an AI model to both discover the vulnerability and write the exploit.

The vulnerability itself was a semantic logic bug, a flaw in how the software handles decisions rather than a memory corruption issue. That distinction matters because logic bugs are exactly the kind of thing AI systems are good at finding. They require understanding what the software is supposed to do and spotting where it doesn’t. Traditional automated scanning tools often miss them.

This wasn’t the only finding

Google’s report also documented Chinese, North Korean, and Russian state-sponsored groups using AI for vulnerability discovery and exploit development. Russian-linked actors were using AI-generated code as decoy logic to hide malware. Another group was using AI voice cloning to impersonate journalists.

The report paints a picture of AI being integrated into offensive cyber operations at every level, from exploit development to social engineering to malware obfuscation. It’s not experimental anymore. It’s operational.

Why this matters for your firm

Most small and mid-size firms don’t think of themselves as targets for zero-day exploits. That’s historically been true. Zero-days were expensive to develop, so attackers saved them for high-value targets.

AI changes that math. If discovering a vulnerability takes an afternoon with an LLM instead of weeks of manual research, the economics shift. The same vulnerability that gets used against a defense contractor can get used against the web portal your firm runs for client document sharing, or the admin tool your IT provider uses to manage your network.

Here’s what this means practically:

Patching speed matters more than ever. The window between a vulnerability being discovered and being exploited is shrinking. If your firm applies patches monthly (or worse, quarterly), you’re accepting a level of risk that’s growing every month. Critical and high-severity patches need to go out within days, not weeks.

You can’t patch what you don’t know about. Do you know every piece of software running in your environment? Every web tool, every browser extension, every plugin? If you don’t have an up-to-date inventory, you can’t know whether a newly disclosed vulnerability affects you. This is the boring part of security, and it’s the part that saves you.

“We’re too small to be targeted” is losing credibility fast. We wrote the same thing about AI-powered phishing a few weeks ago. AI reduces the cost of attacks across the board. That includes vulnerability exploitation. The targeting threshold is dropping.

Web-facing tools are the front door. The tool in Google’s report was a web administration panel. These are exactly the kinds of tools that small firms expose to the internet without thinking much about it: client portals, remote access pages, web-based admin interfaces. If it’s reachable from the internet and it runs software, it’s a target.

What to do about it

The UK’s AI Safety Institute reviewed the same class of AI capabilities and reached a conclusion that’s actually reassuring: “This highlights the importance of cybersecurity basics, such as regular application of security updates, robust access controls, security configuration, and comprehensive logging.”

The fundamentals haven’t changed. What’s changed is the penalty for not doing them. Patch promptly. Know what’s running in your environment. Use strong identity controls. Log everything. Review your web-facing attack surface.

The firms that were already doing these things well are fine. The ones that were cutting corners just ran out of room.

Artech Solutions manages patching, monitoring, and security for law firms and professional services firms across Iowa. If you’re not sure how quickly vulnerabilities are being patched in your environment, we can help you find out.