Abstract
AttackFactory, our new vulnerability research project, demonstrates public disclosures can now be turned into validated exploit evidence in minutes, not days.
According to the latest reporting from Google Threat Intelligence, adversaries are already using AI to speed up vulnerability exploitation at scale.
While AI developed zero day exploits are a real concern, the more immediate operational risk is AI accelerating exploitation of vulnerabilities that are already public. Once a CVE is disclosed, attackers often have the affected versions, the advisory, and the patch. That is enough for an automated workflow to assess exploitability, create the exploit code and discover vulnerable systems. Defenders need matching automation for intake, exposure mapping, prioritisation, and remediation.
1. Overview
AttackFactory takes a newly disclosed CVE, finds the relevant patch, assesses the likely impact, creates exploit code, and verifies the result in an isolated lab.
CVE appears → patch is found → risk is assessed → exploit code is created → lab validation confirms impact2. Vulnerability Selection
AttackFactory prioritises issues that are most likely to be exploited by attackers.
- Open source code, as it is public, the vulnerable and fixed versions can be compared.
- High and critical CVEs are targeted for maximum impact.
- Internet-facing software is easier for attackers to discover.
3. Architecture
AttackFactory follows a single validation flow from disclosure to evidence.
flowchart TD
cve["New CVE"] --> classified["Classified"]
classified --> patch["Patch reviewed"]
patch --> lab["Lab environment built"]
lab --> exploit["Exploit code created"]
exploit --> test["Exploit tested"]
test --> works{"Exploit works?"}
works -- "Yes" --> patched["Patch applied in lab"]
works -- "No" --> exploit
patched --> confirmed["Exploit fails after patch"]
confirmed --> code["Exploit code"]
confirmed --> report["Technical report and evidence"]
4. Agentic Attack Pattern: CVE Release to Targeting in Minutes
The primary concern is attackers with the ability to connect exploit code generation with other autonomous workflows: discovery, discovering internet exposed vulnerable systems, and launching automated attacks.
flowchart LR
feed["CVE Feed"] --> attackfactory["AttackFactory"]
feed --> hunter["Exposure Hunter"]
attackfactory --> merged((" "))
hunter --> merged
merged --> remote["Remote Attack"]
For attackers, this becomes a release-to-targeting pipeline. For defenders, the same pattern needs to run in reverse: identify the issue, determine whether it matters, find exposed assets, prioritise by business impact, apply patches or controls, and verify remediation.
Human-centred vulnerability management often assumes days of analysis. Agentic systems can run continuously.
5. Risk of Known Vulnerabilities
AI-assisted zero-day discovery is a serious concern, but N-day exploitation is the more immediate operational problem. N-day means the vulnerability is already public.
- The affected versions are usually known.
- The patch often explains the bug.
- Exploitability can be tested in a lab.
- Public exposure can be searched at scale.
- Many organisations will still be waiting on patch windows.
6. Defender Use Case
For defenders, AttackFactory can move vulnerability response from advisory tracking to evidence-based validation. When paired with Seer and public infrastructure visibility, the workflow can identify relevant emerging vulnerabilities, show which edge-facing systems are discoverable from the outside, create PoCs for validation against those technologies, and produce detection content such as YARA rules for exploitation attempts.
- Seer: identify high-signal vulnerabilities and candidate disclosures affecting watched technologies.
- Public infrastructure visibility: use the same external discovery perspective attackers rely on to understand what is exposed.
- AttackFactory: create controlled PoCs to validate whether discoverable edge systems are actually vulnerable.
- Detection output: generate YARA rules and supporting evidence from the exploit path and observed artefacts.
- Outcome: combine exposure, exploitability, and detection evidence to find and verify weaknesses before threat actors can act on the same public information.
This is not a replacement for governance or human approval. It is a way to move vulnerability response at the speed now being enabled by AI workflows, while keeping testing controlled, auditable, and defensively focused.
7. Validated Results: End-to-End Pipeline
For the evaluated CVE's, AttackFactory developed a working exploit in minutes.
7.1 Summary: Four CVE Types, One Pipeline
| CVE | Risk Type | Severity | Project | Business Impact | Validated |
|---|---|---|---|---|---|
| CVE-2026-40982 | Path traversal | 9.1 CRITICAL | Spring Cloud Config | Remote file exposure | Yes |
| CVE-2026-42047 | Information disclosure | 8.6 HIGH | Inngest JS SDK | Secrets-like environment data exposure | Yes |
| CVE-2026-8133 | SQL injection | 7.3 HIGH | FilePress CMS | Database extraction | Yes |
| CVE-2026-43186 | Memory corruption | 8.2 HIGH | Linux kernel IOAM6 | Remote crash/corruption | Yes |
The given CVEs are illistrative of recent High/Critical CVEs in open source software - the key is that a single automated workflow handled web application, Java, TypeScript, PHP, database, and kernel-level cases without changing the operating model for each domain.
7.2 CVE-2026-40982 — Spring Cloud Config Path Traversal (CVSS 9.1 CRITICAL)
| Attribute | Value |
|---|---|
| Project | Spring Cloud Config Server |
| Business risk | Remote file read from a configuration service |
| Pipeline runtime | ~4 minutes |
| Validation result | Vulnerable version exposed a system file; patched version blocked the request |
Outcome: A remote attacker could use the service to read files outside the intended configuration path. For a configuration server, that creates a credible risk of exposing sensitive application or environment data.
7.3 CVE-2026-42047 — Inngest JS Environment Variable Disclosure (CVSS 8.6 HIGH)
| Attribute | Value |
|---|---|
| Project | Inngest JS SDK |
| Business risk | Unauthenticated exposure of server environment variables |
| Pipeline runtime | ~4 minutes |
| Validation result | Vulnerable version leaked secrets-like values; patched version did not |
Outcome: The vulnerable handler could disclose environment variables, including values that commonly hold database URLs, API keys, cloud credentials, and signing secrets. That is a direct confidentiality risk and a potential stepping stone to wider compromise.
7.4 CVE-2026-8133 — FilePress Pre-Auth SQL Injection (CVSS 7.3 HIGH)
| Attribute | Value |
|---|---|
| Project | FilePress CMS |
| Business risk | Unauthenticated database access through application input |
| Pipeline runtime | ~11 minutes |
| Validation result | Vulnerable version allowed database extraction in the lab; patched version rejected the payload |
Outcome: A public-facing content system accepted input that could influence database queries before login. The lab proof confirmed that database information could be extracted and that the patch removed the behaviour.
7.5 CVE-2026-43186 — Linux Kernel IOAM6 Memory Corruption (CVSS 8.2 HIGH)
| Attribute | Value |
|---|---|
| Project | Linux kernel |
| Business risk | Remote packet-triggered kernel crash and memory corruption |
| Pipeline runtime | ~25 minutes, including virtual machine boot and crash capture |
| Validation result | Packet-only denial-of-service/corruption validated; packet-only arbitrary RCE not validated |
Outcome: A crafted IPv6 packet could crash a vulnerable kernel in the lab.
8. Conclusion
AttackFactory demonstrates a change in vulnerability economics. Public disclosure is no longer the beginning of a slow manual research cycle. It can be the trigger for continuous automated analysis, validation, and exposure correlation.
The old model assumed:
Disclosure → manual analysis → exploit development (days) → target discovery → compromiseUpdated agentic model:
Disclosure → automated analysis, development, testing, target discovery → compromise (hours)For defenders, the response must be equally operational. Security teams need systems that can ingest disclosures, identify exposed assets, validate exploitability, and trigger remediation faster than human-only processes can manage.