This week, we briefed our clients on Anthropic's announcement of Claude Mythos Preview and its alleged ability to discover and exploit vulnerabilities.
KEY TAKEAWAYS
Claude Mythos Preview claims to find 0-days and craft exploits autonomously.
Critical and high-severity vulnerabilities in Adobe, SAP, Microsoft, Cisco, nginx-ui, and protobufjs, plus updates to CISA KEV, patch now!
On April 7, Anthropic announced a new general-purpose language model "Claude Mythos Preview". What sets this model's capabilities apart from any other previous model is its alleged ability to not only discover new vulnerabilities in software, but quickly craft working exploits for these new vulnerabilities. The capabilities of this model are so powerful and potentially dangerous, Anthropic has temporarily halted public release. They have instead created Project Glasswing, where the model was shared with "Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks in an effort to secure the world's most critical software."
If the claims made by Anthropic are true, the dreaded day where AI systems can allow effectively any user (including threat actors) to rapidly identify vulnerabilities and craft working exploit code is here. Even if this specific model does not quite live up to the hype, this is an early warning signal to the cybersecurity community that things are about to rapidly change. While we may eventually get to a point where defenders are equally armed with AI tools to identify and remediate these new vulnerabilities, there will almost certainly be a period of time where there is a gap in capabilities between attackers and defenders.
The Claim
Anthropic's claims for the capabilities of this model are staggering, and if true will have major implications across the cybersecurity landscape. In order to convey the weight of these claims, instead of paraphrasing, we are including the full quote from the announcement:
"During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security.
The exploits it constructs are not just run-of-the-mill stack-smashing exploits (though as we’ll show, it can do those too). In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities, writing a complex JIT heap spray that escaped both renderer and OS sandboxes. It autonomously obtained local privilege escalation exploits on Linux and other operating systems by exploiting subtle race conditions and KASLR-bypasses. And it autonomously wrote a remote code execution exploit on FreeBSD’s NFS server that granted full root access to unauthenticated users by splitting a 20-gadget ROP chain over multiple packets.
Non-experts can also leverage Mythos Preview to find and exploit sophisticated vulnerabilities. Engineers at Anthropic with no formal security training have asked Mythos Preview to find remote code execution vulnerabilities overnight, and woken up the following morning to a complete, working exploit. In other cases, we’ve had researchers develop scaffolds that allow Mythos Preview to turn vulnerabilities into exploits without any human intervention."
The Reality So Far
While access to Mythos has so far been closely guarded, there has been some public research regarding its capabilities. In a report titled "Our evaluation of Claude Mythos Preview's cyber capabilities", the UK's AI Security Institute ran Mythos and several other AI models against a variety of Capture-the-Flag (CTF) environments. Several key takeaways from these tests include:
It should be noted that the simulated environment emulated a "small, weakly defended and vulnerable" set of enterprise systems. The research also showed that token limitations hindered its capabilities. More tokens equaled more success. While the tool was not perfect, it outperformed all other AI models in the test and surpassed all previous testing results.
Additionally, per the BBC, the U.S. Treasury confirmed it had raised the issue of Mythos Preview's capabilities with major banks, strongly encouraging them to test it on their systems before any public release of the model. The model's capabilities are advanced enough that the global financial market is taking the threat of it very seriously.
How to Protect Your Organization
Organizations are going to have to rethink and modernize their approach to cybersecurity. In a recent blog by Google Threat Intelligence titled "Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever", they outline the "Modern, AI-Integrated Defensive Roadmap". While the full details of this are beyond the scope of this article, Google suggests the following for organizations:
Whether or not Claude Mythos Preview fully lives up to the hype, it is clear that AI is at the precipice of fundamentally shifting the cybersecurity paradigm. These threats can no longer be ignored and need to be taken very seriously. Organizations have a very narrow window of time before these tools are released to the general public. Organizations need to push beyond cybersecurity fundamentals and embrace the new AI paradigm in order to protect themselves.
Resources:
https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities
https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities
Vulnerability Roundup
On April 11, Adobe published a security update to address a zero-day vulnerability in their Adobe Acrobat software. Tracked as CVE-2026-34621, the flaw allows malicious PDF files to bypass sandbox restrictions and invoke privileged JavaScript APIs which can potentially lead to arbitrary code execution. No user interaction is required other than opening the malicious PDF file. Evidence of malicious file samples suggest this vulnerability has been exploited in the wild since at least December 2025. Affected versions are:
No workarounds are available; only the security update addresses the vulnerability. Administrators are urged to patch as soon as possible.
Among the 20 Security Notes disclosed by SAP on their April 2026 Patch Day is a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. Tracked as CVE-2026-27681, the flaw allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed by the program. This can allow the threat actor to extract sensitive data as well as delete or corrupt database content. The fix can be found in SAP Security Note #3719353. Administrators are urged to patch as soon as possible.
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html
https://onapsis.com/blog/sap-security-notes-april-2026-patch-day/
https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html
https://pathlock.com/blog/security-alerts/sap-patch-day-april-2026-critical-sql-injection-authorization-flaws/
As part of the April Patch Tuesday, Microsoft addressed a zero-day "spoofing" vulnerability in Microsoft SharePoint. Tracked as CVE-2026-32201, successful exploitation can allow an attacker to "view some sensitive information and make changes to disclosed information". Microsoft so far has not shared details on exactly how this was exploited, or the scale at which it was exploited. However, since it is under active exploitation, administrators are urged to apply the Patch Tuesday fixes as soon as possible.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
https://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.html
Over the last two weeks, a series of vulnerabilities and corresponding proof-of-concept code was released by a researcher going by "Nightmare-Eclipse" on GitHub. All three of the vulnerabilities target Windows Defender. The first vulnerability, known as "BlueHammer", is a privilege escalation vulnerability in Defender that allows attackers to gain SYSTEM privileges. This flaw is tracked as CVE-2026-33825 and was addressed in the latest Patch Tuesday by Microsoft. However, two more flaws were disclosed by the researcher.
A flaw known as "UnDefend" is a denial of service vulnerability that when executed prevents Windows Defender from receiving updates, and has an "aggressive" mode that when executed in certain conditions can cause Defender to stop responding altogether.
The last flaw disclosed is known as "RedSun", and is also a privilege escalation vulnerability. There is currently no fix for this vulnerability, and has already been observed to be exploited in the wild. The exploit works by abusing a feature in Windows Defender where "cloud-tagged" files are rewritten without validating the target path, allowing files to be written to C:\Windows\System32 with SYSTEM-level privileges. This vulnerability allegedly works on all Windows 10 and 11 as well as Windows Server 2019+.
https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained
https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
Last week, Cisco released several security advisories addressing critical vulnerabilities in Cisco Webex Services, Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The flaw for Cisco Webex, tracked as CVE-2026-20184, affected the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services. It allowed an unauthenticated remote attacker to impersonate any user on the device. This vulnerability was addressed by Cisco and customers do not need to patch. However, Cisco recommends customer action for "affected organizations that are using trust anchors with their SSO integration" by uploading a new identity provider (IdP) SAML certificate to Control Hub. Instructions for this process can be found here.
A pair of vulnerabilities, tracked as CVE-2026-20147 and CVE-2026-20148, affect Cisco ISE and Cisco ISE-PIC, and allow an authenticated remote attacker to achieve remote code execution or conduct path traversal attacks on an affected device. The attacker must have valid administrative credentials to successfully exploit these vulnerabilities. The table below shows affected versions and their corresponding fixed version:
A separate pair of vulnerabilities, tracked as CVE-2026-20180 and CVE-2026-20186, affect Cisco ISE, and allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected device. In order to successfully exploit these vulnerabilities, the attacker must have at least Read Only Admin credentials. The table below shows affected versions and their corresponding fixed version:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv
https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html
https://help.webex.com/en-us/article/nstvmyo/Manage-single-sign-on-integration-in-Control-Hub#task_394598AFBCD3D73A488E6DBB99AD3214
Researchers at Pluto Security recently disclosed details on a critical vulnerability in nginx-ui that is codenamed "MCPwn". nginx-ui is a graphical web interface that assists administrators in managing nginx servers. Tracked as CVE-2026-33032, the flaw is an authentication bypass vulnerability that allows threat actors to seize control of the Nginx service. The flaw resides in a lack of authentication on the "/mcp_message" API endpoint. Per the disclosure, the attack can be successfully carried out with just two requests:
Successful exploitation can allow an attacker to restart nginx, create/modify/delete nginx config files, and trigger automatic config reloads, effectively allowing for complete nginx service takeover.
Per the disclosure from Pluto security, affected versions are v2.3.3 and earlier, with the fixed version being v2.3.4. As this vulnerability is under active exploitation, administrators are urged to patch as soon as possible.
https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html
Security researchers at Endor Labs have shared details on a critical vulnerability in protobuf.js, the most widely used JavaScript runtime for Protocol Buffers, which is a data format used by applications in the cloud to exchange information. This library is commonly used in Google Cloud, Firebase, and most other modern cloud platforms. It is often installed as a hidden dependency of other popular libraries. This vulnerability has not been assigned a CVE, but is tracked as GHSA-xq3m-2v4x-88gg, the identifier assigned by GitHub, and has a CVSS score of 9.4. Per the Endor Labs research, the vulnerability can be exploited by the attacker supplying a malicious configuration file (protobuf schema) to the target application. Affected versions are protobufjs <= 8.0.0 and <= 7.5.4. Fixed versions are 8.0.1 and 7.5.5. While this has not been confirmed to be exploited in the wild yet, proof-of-concept code is widely available. Administrators are urged to update this library as soon as possible.
https://www.endorlabs.com/learn/the-dangers-of-reusing-protobuf-definitions-critical-code-execution-in-protobuf-js-ghsa-xq3m-2v4x-88gg
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.