AI Systems Discover Hundreds of Critical Vulnerabilities in Major Software
OpenAI and Anthropic's AI tools found over 10,000 high-severity flaws in popular software, including decades-old vulnerabilities in OpenSSL.
AI-Powered Security Tools Uncover Massive Vulnerability Haul
The cybersecurity landscape shifted dramatically this week as AI systems demonstrated unprecedented capability in discovering critical software vulnerabilities. OpenAI’s newly launched Codex Security tool and Anthropic’s Claude AI have collectively identified thousands of previously unknown security flaws in widely-used software.
Key Developments
OpenAI’s Codex Security, launched Friday in research preview, has already scanned over 1.2 million code commits in its first month, identifying 792 critical findings and 10,561 high-severity vulnerabilities across popular projects including OpenSSH, PHP, and Chromium.
Meanwhile, Anthropic’s partnership with Mozilla yielded 22 Firefox vulnerabilities in just two weeks, with 14 classified as high-severity - representing nearly a fifth of all high-severity Firefox issues fixed in 2025.
Perhaps most striking are the OpenSSL discoveries: AI systems identified 12 zero-day vulnerabilities in the latest security release, including three bugs that had remained hidden since 1998-2000. One vulnerability received a rare CVSS score of 9.8 (Critical), highlighting the severity of these decades-old flaws.
Industry Context
These developments represent a fundamental shift in vulnerability discovery capabilities. Traditional security research, despite intensive human and automated efforts, had missed these critical flaws for over 25 years in some cases. The scale and speed of AI-driven discovery suggests we’re entering a new era of cybersecurity.
For Irish and European organisations, this creates both opportunities and challenges. While AI tools can dramatically improve defensive capabilities, recent surveys show Irish firms lag behind global counterparts in AI adoption for cybersecurity, with 52% citing unclear risk appetite as a barrier.
Practical Implications
Software developers and security teams should immediately update affected systems, particularly OpenSSL and Firefox installations. The discovery rate suggests many more vulnerabilities await identification in legacy codebases.
Organisations should also evaluate AI-powered security tools for their own environments, while remaining mindful that these same capabilities could potentially be exploited by attackers.
Open Questions
Critical uncertainties remain around the dual-use nature of these AI capabilities, responsible disclosure practices at scale, and how defenders can stay ahead of potential malicious applications. The cybersecurity community must rapidly adapt to this new paradigm while maintaining security standards.