• Home
  • cyber
  • TP-Link and Japanese Tech Firm: Google Detects First AI-Generated Zero-Day Exploit
cyber Vulnerability

TP-Link and Japanese Tech Firm: Google Detects First AI-Generated Zero-Day Exploit

May 4, 2026 2 min read
TP-Link and Japanese Tech Firm: Google Detects First AI-Generated Zero-Day Exploit

Google Uncovers First AI-Generated Zero-Day Exploit in Cybercrime Campaign

Google has identified the first known zero-day exploit developed with the assistance of artificial intelligence, marking a significant evolution in cyber threats. In a report published Monday, Google’s Threat Intelligence Group (GTIG) and Mandiant detailed how a prominent cybercrime group used AI to craft a Python-based exploit targeting an open-source web administration tool, specifically designed to bypass two-factor authentication (2FA).

While Google did not disclose the threat actor or the affected software, it confirmed collaboration with the vendor to mitigate potential mass exploitation. Analysis of the exploit’s structure including educational docstrings, a hallucinated CVSS score, and a "textbook" Pythonic format suggests the use of a large language model (LLM) in its development. Google clarified that its own AI, Gemini, was not involved.

The report also highlights state-sponsored actors leveraging AI for vulnerability research. Chinese-linked groups, including UNC2814, have employed agentic tools like Strix and Hexstrike in attacks on a Japanese tech firm and an East Asian cybersecurity company. UNC2814 further used AI-driven "persona-driven jailbreaks" instructing models to act as senior security auditors to analyze vulnerabilities in embedded devices, such as TP-Link firmware.

North Korea’s APT45, meanwhile, deployed AI to automate the analysis of CVEs and validate proof-of-concept (PoC) exploits at scale, enabling a more robust arsenal than manual methods could achieve. Beyond exploit development, the report outlines AI’s role in autonomous malware operations, defense evasion, and supply chain attacks, as well as threat actors’ growing interest in premium LLM access.

This incident underscores AI’s dual-edged impact on cybersecurity, where both attackers and defenders are rapidly integrating advanced tools into their strategies.

Source: https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/

TP-Link cybersecurity rating report: https://www.rankiteo.com/company/tp-link-corporation

Tektome cybersecurity rating report: https://www.rankiteo.com/company/tektome

"id": "TP-TEK1778524447",
"linkid": "tp-link-corporation, tektome",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
                        'location': 'Japan',
                        'name': 'Undisclosed Japanese tech firm',
                        'type': 'Corporation'},
                       {'industry': 'Cybersecurity',
                        'location': 'East Asia',
                        'name': 'Undisclosed East Asian cybersecurity company',
                        'type': 'Corporation'}],
 'attack_vector': 'AI-assisted exploit development',
 'description': 'Google has identified the first known zero-day exploit '
                'developed with the assistance of artificial intelligence. A '
                'cybercrime group used AI to craft a Python-based exploit '
                'targeting an open-source web administration tool, designed to '
                "bypass two-factor authentication (2FA). The exploit's "
                'structure suggests the use of a large language model (LLM) in '
                'its development. The report also highlights state-sponsored '
                'actors leveraging AI for vulnerability research and exploit '
                'development.',
 'impact': {'systems_affected': ['Open-source web administration tool',
                                 'Embedded devices (e.g., TP-Link firmware)']},
 'lessons_learned': "AI's dual-edged impact on cybersecurity, where both "
                    'attackers and defenders are rapidly integrating advanced '
                    'tools into their strategies.',
 'motivation': ['Bypass two-factor authentication (2FA)',
                'Vulnerability research',
                'Automated exploit validation',
                'Defense evasion',
                'Supply chain attacks'],
 'post_incident_analysis': {'root_causes': 'AI-assisted exploit development, '
                                           'automated vulnerability research, '
                                           'and persona-driven jailbreaks for '
                                           'vulnerability analysis'},
 'references': [{'source': 'Google’s Threat Intelligence Group (GTIG) and '
                           'Mandiant Report'}],
 'response': {'remediation_measures': 'Collaboration with the vendor to '
                                      'mitigate potential mass exploitation',
              'third_party_assistance': 'Google’s Threat Intelligence Group '
                                        '(GTIG) and Mandiant'},
 'threat_actor': ['Cybercrime group (undisclosed)',
                  'UNC2814 (Chinese-linked)',
                  'APT45 (North Korea)'],
 'title': 'First AI-Generated Zero-Day Exploit in Cybercrime Campaign',
 'type': 'Zero-Day Exploit',
 'vulnerability_exploited': 'Open-source web administration tool (undisclosed)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.