Google Documents First AI-Driven Zero-Day: Criminals Bypassed 2FA in Open-Source Platform Before Disruption

Google's Threat Intelligence Group has documented what it describes as the first confirmed case of cybercriminals using artificial intelligence to both discover and weaponize a zero-day vulnerability in a planned mass-exploitation campaign. The finding signals a potential turning point in the evolution of cyber threat capabilities, as sophisticated attack development becomes increasingly accessible to criminal operators.

The vulnerability in question was a two-factor authentication bypass targeting a popular open-source web-based administration platform. According to GTIG, the attackers leveraged an AI model throughout the exploit development process—using it to identify the flaw and assist in transforming it into a functional exploit for large-scale intrusion operations. Google worked directly with the unnamed vendor to quietly develop and deploy a patch before the campaign could gain traction, an intervention the company believes disrupted the operation before it could execute at scale.

While Google emphasized that neither its Gemini model nor Anthropic's Claude were involved in the attack chain, the incident underscores the growing integration of AI into offensive cyber operations. The case demonstrates that threat actors are actively experimenting with AI-assisted vulnerability discovery, raising the technical barrier for such operations while simultaneously lowering the expertise required to execute them. Security teams should anticipate further incidents along these lines as AI tools continue proliferating across criminal markets.