O RLY CYBER(zsec.uk) Autonomous LLM-Driven Vulnerability Hunting at Scale: Architecture, Methodology, and Discovered Zero-Days
New research details an autonomous LLM-driven vulnerability hunting system using Claude Code and Model Context Protocol (MCP), uncovering multiple zero-days including critical Go standard library flaws and a four-stage OEM exploit chain.
In brief - A security researcher built an end-to-end autonomous system integrating 300+ tools across five VMs, discovering confirmed CVEs (CVE-2026-33809, CVE-2026-33812) and a complex OEM service exploit chain achieving SYSTEM execution. The system eliminates false positives through a rigorous multi-gate validation pipeline.
Technically - The architecture leverages FastMCP-based Python servers for SSH/WinRM, Proxmox VM orchestration, Ghidra/radare2/Frida RE, grammar-based fuzzing (WinAFL, Jackalope, DynamoRIO), and FAISS-backed RAG. Key findings: CVE-2026-33809 (Go TIFF parsing OOM via unchecked IFD offset), CVE-2026-33812 (Go SFNT font parsing OOM via unchecked uint16 class count), and an OEM exploit chain combining WCF named pipe auth bypass, SSRF, catalog injection, and BYOVD for SYSTEM execution. Validation requires PoC compilation, clean-VM crash reproduction, and exploitability confirmation.
