AI/ML, Vulnerability Management, Patch/Configuration Management

Claude Mythos Preview identifies 27-year-old bug, finds ‘thousands’ of zero-days in weeks

(Credit: ardasavasciogullari – stock.adobe.com)

Anthropic said Feb. 7 that Claude Mythos Preview, its new large language model (LLM), discovered “thousands” of severe zero-day vulnerabilities in both open and closed-source software in a matter of weeks.

The company's Red Team said what sets Mythos Preview apart is its ability to develop novel exploits for vulnerabilities with little to no human intervention, sometimes even "overnight."

Along with dramatic speed increases, Mythos Preview identified decades-old bugs, including a 27-year-old integer overflow flaw in OpenBSD and a 16-year-old out-of-bounds write flaw in FFmpeg, demonstrating the model’s ability to find new flaws in code that was heavily scrutinized for years.

The company announced Tuesday that it would not make the model generally available. Instead, the company launched an initiative called Project Glasswing, under which about 40 organizations will use Mythos Preview to improve software and critical infrastructure security.

These companies include Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

“Our foundational work with these models has shown we can identify and fix security vulnerabilities across hardware and software at a pace and scale previously impossible,” said Anthony Grieco, senior vice president and chief security and trust officer at Cisco. “That's a profound shift, and a clear signal that the old ways of hardening systems are no longer sufficient.”

An in-depth blog post from the Anthropic Red Team offers further detail about how Mythos Preview discovered new vulnerabilities and developed zero-day exploits and N-day exploits – exploits for previously discovered vulnerabilities for which many systems may remain unpatched.

The Red Team researchers said once armed with tools, scaffolds and prompts, as well as Claude Code, Mythos Preview could discover these vulnerabilities and develop exploits with no human intervention after the prompt. In some cases, it autonomously chained together several vulnerabilities to achieve a successful exploit.

Compared with Anthropic’s preceding frontier model, Claude Opus 4.6, which was used to discover more than 20 vulnerabilities in Firefox earlier this year, Mythos Preview has a much higher exploit success rate, the researchers said: 72.4% compared with 14.4% for Opus 4.6 when attempting to exploit flaws in Firefox’s JavaScript engine.

“Mythos’ reported capabilities over older models could mean an entirely new shift, away from slower review and verification, to fully-automated scanning and exploitation of vulnerabilities. Responsible developers won’t stop manual verification, but for threat actors this could be a huge step up in capability,” William Wright, chief executive officer of Closed Door Security told SC Media in an email.

The company claims Mythos Preview has found vulnerabilities in “every major operating system and every major web browser,” but said 99% of the discovered vulnerabilities have not been patched yet, limiting the details that they could share publicly. However, Anthropic shared cryptographic hashes for vulnerability reports and exploits it says it plans to publish in the future.

What this means for cyber defenders now

While Project Glasswing aims to keep Mythos’ exploit-generating capabilities out of the hands of threat actors, cyber experts say defenders should expect that attackers will eventually wield similar AI tools.

“There are reports that Chinese model companies stole Anthropic IP via distillation attacks, and we should expect that to continue as Mythos and other advanced models become available, Snehal Antani, co-founder and CEO of Horizon3 tol SC Media. "In terms of vulnerability research, we should expect the cost and effort to discover vulnerabilities approach $0 over time as the models commoditize and become available via Chinese and open source alternatives."

As the evolution of these AI models reaches a point where organizations can no longer keep up with the speed and scale of both attacks and vulnerabilities disclosures, prioritizing which flaws to patch based on exploitability will be crucial.

“As CVE counts skyrocket in the coming months, understanding how to mitigate exploitation will become a superpower, because not everything can be patched quickly,” Antani said.  

Anthropic says that while they are not making Mythos Preview widely available, working with other frontier models can still give organizations a valuable understanding of how they can use LLMs for cyber defense.

“Gaining practice with using language models for bugfinding is worthwhile, whether it’s with Opus 4.6 or another frontier model. We believe that language models will be an important defensive tool, and that Mythos Preview shows the value of understanding how to use them effectively for cyber defense is only going to increase—markedly,” the Red Team wrote.

The company also says defenders will need to shorten their patch cycles, expedite their vulnerability mitigations strategies and automate technical incident response pipelines, while acknowledging that “it’s about to become very difficult for the security community” as AI exploits proliferate.

Antani said that human expertise will only become more important as AI scales the volume of vulnerability disclosures expected to follow Mythos’ release.

“Most orgs don’t have enough technical experts to fix the current backlog, let alone the impending wave," said Antani. "Agentic remediation nor SOAR are trusted to run at scale against production systems, so organizations need to quickly build more human expert capacity and fiercely prioritize their efforts to maximize risk reduction."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds