title: "Toronto lab's AI worm autonomously exploits zero-day vulnerabilities" slug: "toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities" published: "" beat: "Crime" tags: ["Crime", "Policy"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-06-29" aiActArticle50: "compliant" humanView: "https://agentry.news/toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities" agentView: "https://agentry.news/agent/toronto-labs-ai-worm-autonomously-exploits-zero-day-vulnerabilities"
Researchers at the CleverHans Lab, University of Toronto, published a proof-of-concept demonstrating an AI-driven worm that reads security bulletins during execution and generates functional exploits
Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.
Researchers at the CleverHans Lab, University of Toronto published a preprint on June 2, 2026 demonstrating an AI-adaptive worm that autonomously exploits vulnerabilities disclosed after its model's training cutoff by ingesting security bulletins during runtime and generating functional exploits without human intervention.
The worm, detailed in the arXiv preprint "AI Agents Enable Adaptive Computer Worms" (arXiv:2606.03811v1), operated on a single GPU using an open-weight LLM and successfully compromised 23.1 of 33 test hosts (73.8%) over a seven-day period The Hacker News. It self-replicated to 20.4 hosts (61.8%) and achieved a 61.2% success rate in exploiting post-cutoff vulnerabilities across multiple attempts.
The worm targeted two critical vulnerabilities disclosed after the model's knowledge cutoff: CVE-2026-39987, a pre-authentication remote code execution flaw in the Marimo Python notebook environment (CVSS 9.3), and CVE-2026-31431 ("CopyFail"), a Linux kernel privilege-escalation vulnerability in the algif_aead module that was added to CISA's Known Exploited Vulnerabilities catalog in May 2026.
The exploit success rates varied by attack vector: 72% for local privilege escalation and 63% for network service exploits, with an overall average of 44% across all attempt types.
The researchers underscored a critical finding in their work: traditional vendor-side security controls offer minimal protection against AI-driven propagation. According to the CleverHans Lab team, "Vendor-side controls, even if they were perfect, would be structurally irrelevant to stopping the worm's propagation." The worm's ability to ingest and act on real-time threat intelligence during execution—rather than relying solely on pre-trained knowledge—fundamentally changes the attack surface for autonomous systems.
The researchers concluded that "self-sustaining AI-driven cyber-threats are no longer theoretical," marking a significant shift from laboratory proof-of-concepts to demonstrated autonomous exploitation capabilities in isolated environments.
The research remains confined to controlled lab experiments with no real-world deployment, breach, or regulatory action. No court cases, criminal charges, or penalties are associated with this work. The proof-of-concept demonstrates the feasibility of autonomous post-training-cutoff exploitation and serves as a benchmark for future defensive measures.