Anthropic’s Mythos Can Serve Up N-Day Exploits in Minutes or Hours
The publicity and warnings around the threat of Anthropic’s Claude Mythos Preview in the cybersecurity community in recent months have focused on the frontier AI model’s significant capabilities in detecting zero-day vulnerabilities and rapidly developing exploits to use against them.
However, those same capabilities can be used to help bad actors exploit N-day vulnerabilities, security flaws that have already been publicly disclosed and patched on some systems, which creates what the AI vendor calls a “patch gap” that leaves other machines open to attack.
N-days often can be more dangerous than zero-days – those security flaws that software developers don’t yet know about – because the patch that’s created for them “provides a roadmap to the bug,” Anthropic researchers wrote in a report this week.
“Once software vendors publish their security updates, attackers can ‘patch diff’: compare the pre-patched source code or binary against the new one to locate exactly what changed, and then reverse-engineer the vulnerability that the patch was meant to fix,” they wrote. “This means that a working exploit is often simply a matter of time.”
Doing such reverse-engineering isn’t an easy chore and, in the past, it has taken threat actors weeks or month to investigate a patch and develop an exploit. In addition, there are other steps that need to be taken to exploit an N-day vulnerability – from finding targets and delivering the exploit to evading detection – that take time and resources, but developing the exploit itself is what has been more difficult because of the lack of the necessary reverse-engineering expertise.
The Bottleneck Is Gone
“With frontier models, this bottleneck has largely fallen away,” the researchers wrote, adding that “anyone in the patch gap today faces a much larger threat than before – and that the risks will only grow as models become more capable. Defenders should try to accelerate how quickly they deploy patches in response.”
What had taken hackers weeks or months to accomplish can now take minutes with a frontier model. Anthropic ran 18 recent security patches in Mozilla’s Firefox through Mythos, which autonomously built eight working code execution exploits. Turning it to 21 kernel patches in Windows – where the source code is unavailable – the AI model created eight full exploit chain that researchers wrote “escalated a low privilege user all the way to full SYSTEM control.”
They picked SpiderMonkey – Firefox’s JavaScript engine – because it’s the most common entry point in browser exploit chains. SpiderMonkey was shipping in Firefox 148 in February and 149 in March, and Anthropic focused on flaws with fixes that had been public in Mozilla’s source repository for at least 90 days.
Volume and Speed
The researchers ran trials across six AI models – Mythos as well as Opus 4.5 to 4.8 – to see whether they could develop a proof-of-concept for the patched vulnerabilities. For the Opus models, the number of working PoCs ranged from two to 11. Mythos produced a PoC for 14, with the first taking 12 minutes and the other 13 coming in at 40 minutes, about half the time for Opus 4.8 to find 11. Mythos’ final PoC took longer, taking it about three hours to bring in all 14.
When testing the models’ abilities to turn a crash into a working exploit, it took Mythos less than an hour to write its first exploit, and created eight exploits in about 12 hours. The other models created a total of four.
“To put these results into perspective, Mythos Preview had its first exploit within an hour of Mozilla issuing the patch for it – while it would’ve been 18 days before the patched Firefox 148 was even released,” they wrote.
The results were similar with Windows.
“For each vulnerability, we gave the model only what an attacker would have on the day the patch dropped: the vulnerable and patched binaries, public debug symbols (mapping between function names and addresses), a decompilation of the vulnerable binary from Ghidra, a function-level diff between the two versions from Ghidriff, and the public Microsoft advisory text (which includes the bug class, severity, and an FAQ),” the researchers wrote.
Minutes Rather than Weeks
Running the models three times on each of the 21 vulnerabilities, they found each model could accelerate N-days even without the source code. Mythos developed PoCs that reached 18 of the bugs with the first one taking 31 minutes to arrive and all 18 within six hours. The other models hit between 13 and 15 of the flaws.
In addition, beyond the development of the PoCs, Mythos produced eight distinctive exploit chains, all for about $15,700 API credits, or an average of about $2,000 per privilege escalation.
“The binding constraint to N-days is now just a few thousand dollars and API access, which expands the pool of capable N-day attackers dramatically,” they wrote.
Given enough time, many AI models can generate N-day exploits. However, Mythos changes the equation in terms of the volume of findings and the speed that exploits can be whipped up. A single bad actor can create working exploits from a month’s worth of patches in a single afternoon for only a few thousand dollars and with no particular expertise.
From N-day to N-hour
Patching practices that developers have used for years, with monthly release cadences and staged rollouts over weeks, don’t hold any longer.
They were “built on the assumption that weaponizing a patch takes expert-weeks (and that there was a limited pool of experts capable of doing so),” they wrote. “But ‘N-day’ has become dangerously misleading. N-hour is closer to the reality we now operate in.”
