Researchers at the University of Illinois gave a team of autonomous AI agents a CVE description of a vulnerability and the agents were able to autonomously find and exploit the vulnerability in a test environment in April.
Two months later, the same researchers showed that those teams can now find and exploit previously unknown vulnerabilities. They tested the agents by selecting a list of severe vulnerabilities that were discovered after the cut-off training date for the LLM (GPT-4), so the AIs knew nothing about them. Then they set up a test environment that had those vulnerabilities in them. And the agents were able to find and use those vulnerabilities.
The researchers reported that they were able to hack 53% of test environments, compared to 0% for older approaches like Metasploit. But that doesn’t mean attackers will now hack into every company everywhere, says lead researcher Daniel Kang, a professor at the University of Illinois.
