Originally reported by Schneier on Security
TL;DR
AISLE AI system identified 12 zero-day OpenSSL vulnerabilities, including a critical stack buffer overflow with 9.8 CVSS score. Some bugs existed for over 25 years despite extensive auditing.
Multiple zero-day vulnerabilities in critical infrastructure component OpenSSL, including CVE-2025-15467 with CVSS 9.8 score and confirmed exploit development. OpenSSL's ubiquity makes this extremely high impact.
The AISLE AI system has achieved an unprecedented milestone in automated vulnerability research, discovering all 12 zero-day vulnerabilities disclosed in OpenSSL's January 27, 2026 security release. The findings represent a historically unusual concentration of discoveries from a single research team and demonstrate AI's emerging capability to identify complex security flaws that have evaded traditional detection methods.
Among the discoveries, CVE-2025-15467 stands out as particularly severe - a stack buffer overflow in CMS message parsing that enables remote exploitation without valid key material. OpenSSL rated it HIGH severity, while NIST assigned a CVSS v3 score of 9.8 (CRITICAL), an extremely rare severity rating for such established projects.
The research revealed the depth of long-standing vulnerabilities in critical infrastructure:
The AI system's track record across recent OpenSSL releases demonstrates consistent discovery capability:
Exploits for CVE-2025-15467 have already been developed and made available online, underscoring the immediate threat these discoveries represent. The remote exploitability without authentication makes this particularly concerning for the vast ecosystem of applications and services relying on OpenSSL.
This development signals a fundamental shift in vulnerability research capabilities. As noted by security expert Bruce Schneier, "AI vulnerability finding is changing cybersecurity, faster than expected." The dual-use nature of this technology means both defensive and offensive actors will leverage these capabilities, potentially accelerating both vulnerability discovery and exploitation timelines.
The findings challenge assumptions about code maturity and security assurance, demonstrating that even extensively audited, decades-old codebases can harbor critical vulnerabilities discoverable through advanced AI analysis.
Originally reported by Schneier on Security