TL;DR
An AI agent turned a public vulnerability disclosure into a working remote root shell before most human security teams had finished reading the advisory.
MSM Perspective
Forbes frames Claude's exploit as a fundamental shift in the economics of cybersecurity offense.
X Perspective
Security researchers on X are split between admiration for the technical achievement and alarm at the speed of weaponization.
On March 26, the FreeBSD project published a security advisory for CVE-2026-4747, a stack buffer overflow in the operating system's RPCSEC_GSS implementation. Three days later, Anthropic's Claude had written two working remote kernel exploits that delivered a root shell on a target machine. The entire process took approximately four hours of AI computation. [1]
To the knowledge of the researchers who conducted the experiment, it is the first time an AI system has autonomously developed a working remote kernel exploit. The distinction matters: Claude did not merely identify the vulnerability. Given the published advisory as a starting point, it analyzed the affected code, constructed a return-oriented programming chain, designed custom shellcode for multi-packet delivery, and produced a functioning attack that achieved privilege escalation to uid 0. [1]
The work was conducted by Nicholas Carlini in collaboration with Thai Duong's security research team at Calif, whose previous credits include the discovery of the TLS BEAST and CRIME attacks. [1] Carlini provided the CVE write-up and asked Claude to develop an exploit. The AI agent iterated through multiple approaches, debugging kernel crashes and refining its payload, before delivering the finished product.
FreeBSD 14.x proved particularly susceptible because it lacks two common kernel hardening features: kernel address space layout randomization and stack canaries for integer arrays. [1] Those absences reduced the complexity of the exploit, but the underlying achievement -- an AI system reasoning through low-level memory corruption, ROP gadget selection, and shellcode construction -- would translate to more hardened targets with additional effort.
The implications are uncomfortable. Vulnerability disclosure has long operated on the assumption that the gap between advisory and weaponization is measured in days or weeks, during which defenders patch and update. Four hours compresses that window to near-zero. An AI that can convert a public advisory into a working exploit before most security teams have finished their morning stand-up meeting changes the calculus of responsible disclosure entirely.
The cybersecurity community's reaction has been appropriately divided. Some researchers see a powerful new tool for defensive red-teaming: let AI find the exploits first so organizations can patch preemptively. Others note that the same capability, stripped of ethical guardrails, would be devastating in adversarial hands. The tool is neutral. The question, as it always is with dual-use technology, is who wields it and to what end.
What is no longer in question is whether AI can do this work. It can. It did. The advisory-to-exploit pipeline is now measured in hours, not weeks. Every organization running unpatched systems should update its threat model accordingly.
-- ANNA WEBER, Berlin
Sources & X Posts
X Posts