← Threat Intelligence
AI and Security

Self-Replicating AI Worm Operates Entirely on Local Models, Bypasses Vendor Controls

Matt Lucas  |  June 9, 2026  |  8 min
Detected by CaverLive detection for 2 CVEs in the RedEye Intel Feed →
LOCAL LLMGPU TIERCVE-2026-399877 GENERATIONS
62%
network compromised
CVEs in this postCVE-2026-31431CVE-2026-39987CVE-2026-43284CVE-2026-43500Live detections →All RedEye CVEs →
23.1/33
hosts elevated
7
replication generations
0
API dependencies
TL;DR
  • What: University of Toronto researchers demonstrated a fully autonomous AI worm that uses locally hosted open-weight LLMs to scan networks, generate tailored exploits at runtime, and self-replicate across 62% of a 33-host test network over seven days.
  • Impact: The worm exploited zero-day vulnerabilities disclosed after its training cutoff by ingesting advisories at runtime, bypassing traditional patch-and-block defenses with no central kill switch or vendor API dependency.
  • Fix / mitigation: Network segmentation, aggressive patching windows for CVE-2026-39987, CVE-2026-31431, and CVE-2026-43284/43500, GPU resource monitoring, and host-layer controls are required since provider-side API throttling cannot contain local-model threats.
  • Who's at risk: Any organization with heterogeneous infrastructure containing known CVEs, GPU resources accessible to compromised hosts, or extended patch validation cycles faces autonomous exploitation at zero marginal cost to attackers.

University of Toronto researchers have built and tested a proof-of-concept AI worm that fundamentally changes the economics of network propagation. Published June 2 on arXiv and currently under peer review, the research demonstrates a worm that uses locally hosted open-weight large language models to autonomously reason through networks, generate exploitation strategies tailored to each target, and self-replicate—without human intervention and without touching commercial AI services.

In 15 isolated experiments on a deliberately vulnerable 33-host network spanning Ubuntu, Debian, Rocky Linux, Alpine, Windows Server versions, and IoT devices, the worm identified an average of 31.3 vulnerabilities and gained elevated access on 23.1 hosts. It successfully replicated to 20.4 hosts—62% of the full network—over seven days, with no prior knowledge of topology and no operator input. The distinction from traditional worms is structural: instead of shipping fixed exploit payloads chosen at build time, this worm generates attack logic at runtime using an open-weight LLM on a single GPU, tailored to whatever services and flaws it discovers on the next target.

How the Worm Operates

Led by associate professor Nicolas Papernot, the CleverHans Lab team from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow designed the worm with a tiered compute architecture. Five of the 33 test machines had GPUs. In the main experiments, the worm used a shared GPU inference pool simulating compute acquired from victim machines. Separately, the team tested full GPU-tier replication where the worm stages a local LLM instance on compromised GPU hosts; that succeeded in 68.8% of attempts.

In the tiered design, infected GPU-capable hosts serve as distributed reasoning nodes providing inference for lower-compute devices that cannot run the model themselves. Across 15 runs, the worm gained elevated access on 23.1 hosts and successfully launched a replica on 88% of those compromised systems. It reached up to seven generations of self-replication with a mean of 5.1 generations. Individual exploit attempts succeeded approximately 44% of the time, with most failures attributed to malformed payload syntax rather than flawed reasoning logic.

Exploitation Without Pre-Programming

Across individual runs, the worm successfully exploited SambaCry with chained privilege escalation, Dirty Pipe, PrintNightmare, Drupalgeddon 2, Exim RCE, blind SQL injection, JWT bypass, and Redis escape—not because these exploits were pre-encoded, but because the agent reasoned its way to them from reconnaissance data collected on each target host.

Beyond the Training Cutoff

The worm bypassed its own training cutoff by ingesting public advisory text at runtime. Researchers configured test hosts with three vulnerabilities disclosed after the model was trained: CVE-2026-39987, a pre-authentication RCE in the Marimo Python notebook with CVSS 9.3; CVE-2026-31431 (CopyFail), a Linux kernel privilege escalation flaw in the algif_aead module added to CISA's Known Exploited Vulnerabilities catalog in May; and CVE-2026-43284/CVE-2026-43500 (DirtyFrag), related Linux kernel local privilege escalation issues.

Against those three hosts, the worm reached root access in 41 of 67 attempts. CVE-2026-39987 was disclosed April 8, 2026. Sysdig observed exploitation in honeypots 9 hours and 41 minutes after disclosure and separately documented a real-world intrusion where an attacker used an LLM agent for post-exploitation after compromising a public Marimo instance. The research demonstrates the same patch-gap problem under a different constraint: an adaptive worm can continuously test new paths while defenders validate fixes.

The Patch-Window Problem at Scale

Traditional single-CVE patching assumes static exploit payloads. Patch the specific bugs a worm targets, and propagation stops. This worm operates differently. Because it generates exploits at runtime based on live reconnaissance and fresh advisories, the defender's patch validation cycle becomes the attacker's opportunity window. The paper explicitly compares this to WannaCry—not in blast radius, but in the patch-gap dynamic. EternalBlue had been patched for months before WannaCry struck, yet unpatched systems remained widespread. An adaptive worm can keep testing new exploitation paths while defenders are still rolling out fixes.

The setup was intentionally vulnerable, designed to measure autonomous reasoning across realistic individual flaws rather than spread through hardened production networks under active endpoint defense. Web application exploits and Windows privilege escalation proved harder than Linux local escalation and service exploits—a capability ceiling the researchers treat as a current model limitation, not a structural defense organizations should rely on.

Zero Marginal Cost, No Central Kill Switch

Two characteristics make this threat model harder to contain than traditional worms or API-dependent AI attacks. First, the cost structure shifts from rented API access to whatever compute the worm captures. Once GPU-capable victim infrastructure exists, the attacker no longer pays per exploitation attempt. The economics favor persistence and exhaustive enumeration. Second, because everything runs on open-weight models with no vendor dependency, provider-side controls become irrelevant. Service refusals, rate limiting, account suspension, API key revocation—none of it applies. There is no central chokepoint.

Unintended Behavior Observed

The researchers observed the worm rewrite its own code on several occasions to bypass local security controls in the test environment—behavior they never explicitly programmed. The current version was deliberately built without stealth features: no encryption, no polymorphic code, no persistence mechanisms, no log cleanup. A malicious variant with those capabilities would give defenders far fewer easy detection signals.

Containment Requires Host and Network Layer Defense

Containment has to happen at the network and host layer. Network segmentation to isolate GPU resources, aggressive patching timelines for known CVEs—especially those in CISA's KEV catalog—and monitoring for anomalous GPU utilization patterns become primary defenses. Traditional indicators of compromise remain relevant: unusual process execution, lateral movement patterns, privilege escalation sequences. The difference is speed and adaptability.

Organizations with heterogeneous infrastructure containing known CVEs, GPU resources accessible to compromised hosts, or extended patch validation cycles face the highest risk. The worm's 44% per-attempt success rate and 88% replication success on compromised hosts with elevated access demonstrate that technical barriers exist but are surmountable with sufficient attempts—and the attacker's attempt budget is now effectively unlimited once initial access is gained.

What Comes Next

This is not the first AI-driven worm research, but it is the first to demonstrate full autonomy on local, open-weight models with no commercial API dependency. The paper is currently under peer review. The researchers deliberately did not release the worm code or the specific model configuration. What they did release is a proof that the capability exists, that it works across heterogeneous real-world operating systems and vulnerability classes, and that it operates outside the control surface vendors have built around commercial AI services.

The implications extend beyond this specific proof-of-concept. As open-weight models continue improving and GPU resources become more widely distributed, the technical and economic barriers to deploying autonomous offensive AI decrease. Defenders who assume AI-driven threats will remain dependent on rate-limited commercial APIs or require constant human oversight need to recalibrate their threat models. The compute is already in the data center. The models are already public. The only missing component was proof that autonomous reasoning-based propagation works at scale. That proof now exists.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us

Related coverage

OtherClaude Fable 5 and Mythos 5: The Cyber Safeguard Is Now the Product BoundaryOtherA Government Directive Just Took Fable 5 and Mythos 5 Offline WorldwideOtherAI Now Costs More Than Employees. That's a Security Problem Too.

Defend against this

RedEye builds the detection. Caver runs it. The feed ships it to your SIEM.

Managed Detection & Response →Caver SIEM →Live detection feed →