top of page
perceptive_background_267k.jpg

Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?

Published:

23 April 2026 at 11:30:00

Alert date:

23 April 2026 at 13:01:25

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities, Emerging Technologies, Security Tools

Anthropic announced Project Glasswing, an AI model highly effective at discovering software vulnerabilities. The company postponed public release due to security concerns and instead provided access to major tech companies including Apple, Microsoft, Google, and Amazon to find and patch bugs before adversaries can exploit them. The underlying model, Mythos Preview, demonstrated significant capability in automated vulnerability detection, raising questions about who will handle the remediation of AI-discovered security flaws.

Technical details

Anthropic's Project Glasswing utilizes Mythos Preview, an AI model that found vulnerabilities across major operating systems and browsers, including bugs that survived decades of human audits. The model achieved a 72.4% success rate in Firefox JS shell exploit development and can chain four independent bugs into exploit sequences bypassing browser renderer and OS sandboxing, perform local privilege escalation in Linux through race conditions, and build 20-gadget ROP chains targeting FreeBSD's NFS server. Attackers are using custom MCP servers hosting LLMs for autonomous attacks including backdoor creation, infrastructure mapping, vulnerability assessment, and tool execution for domain admin access. The median time from disclosure to weaponized exploit dropped from 771 days in 2018 to single-digit hours by 2024.

Mitigation steps:

Implement signal-driven validation over scheduled testing, use environment-specific context over generic CVSS scores, establish closed-loop remediation without manual handoffs, compress validation cycles from days to minutes using AI agents, validate which vulnerabilities are actually exploitable in specific environments, bridge findings to remediation by opening tickets and triggering SOAR playbooks, and focus on autonomous exposure validation to close the gap between vulnerability discovery and patching.

Affected products:

Major operating systems
Major browsers
OpenBSD
Firefox JS shell
Linux
FreeBSD NFS server
FortiGate appliances
OpenSSL

Related links:

https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html
https://hubs.li/Q04cJdmF0
https://aisle.com/blog/aisle-discovered-12-out-of-12-openssl-vulnerabilities
https://xbow.com/blog/top-1-how-xbow-did-it
https://www.resilientcyber.io/p/the-zero-day-clock-is-ticking-why
https://www.picussecurity.com/resource/report/surviving-the-post-mythos-era-12-actions-to-validate-your-defenses-before-july

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page