Anthropic said Feb. 7 that Claude Mythos Preview, its new large language model (LLM), discovered “thousands” of severe zero-day vulnerabilities in both open and closed-source software in a matter of weeks.The company's Red Team said what sets Mythos Preview apart is its ability to develop novel exploits for vulnerabilities with little to no human intervention, sometimes even "overnight."Along with dramatic speed increases, Mythos Preview identified decades-old bugs, including a 27-year-old integer overflow flaw in OpenBSD and a 16-year-old out-of-bounds write flaw in FFmpeg, demonstrating the model’s ability to find new flaws in code that was heavily scrutinized for years.The company announced Tuesday that it would not make the model generally available. Instead, the company launched an initiative called Project Glasswing, under which about 40 organizations will use Mythos Preview to improve software and critical infrastructure security.These companies include Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.“Our foundational work with these models has shown we can identify and fix security vulnerabilities across hardware and software at a pace and scale previously impossible,” said Anthony Grieco, senior vice president and chief security and trust officer at Cisco. “That's a profound shift, and a clear signal that the old ways of hardening systems are no longer sufficient.”An in-depth blog post from the Anthropic Red Team offers further detail about how Mythos Preview discovered new vulnerabilities and developed zero-day exploits and N-day exploits – exploits for previously discovered vulnerabilities for which many systems may remain unpatched.The Red Team researchers said once armed with tools, scaffolds and prompts, as well as Claude Code, Mythos Preview could discover these vulnerabilities and develop exploits with no human intervention after the prompt. In some cases, it autonomously chained together several vulnerabilities to achieve a successful exploit.Compared with Anthropic’s preceding frontier model, Claude Opus 4.6, which was used to discover more than 20 vulnerabilities in Firefox earlier this year, Mythos Preview has a much higher exploit success rate, the researchers said: 72.4% compared with 14.4% for Opus 4.6 when attempting to exploit flaws in Firefox’s JavaScript engine.“Mythos’ reported capabilities over older models could mean an entirely new shift, away from slower review and verification, to fully-automated scanning and exploitation of vulnerabilities. Responsible developers won’t stop manual verification, but for threat actors this could be a huge step up in capability,” William Wright, chief executive officer of Closed Door Security told SC Media in an email.The company claims Mythos Preview has found vulnerabilities in “every major operating system and every major web browser,” but said 99% of the discovered vulnerabilities have not been patched yet, limiting the details that they could share publicly. However, Anthropic shared cryptographic hashes for vulnerability reports and exploits it says it plans to publish in the future.
AI/ML, Vulnerability Management, Patch/Configuration Management
Claude Mythos Preview identifies 27-year-old bug, finds ‘thousands’ of zero-days in weeks

(Credit: ardasavasciogullari – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



