AI-Driven Discovery Uncovers 12 Latest OpenSSL Vulnerabilities
In a landmark achievement for AI-powered cybersecurity, researchers at AISLE have identified twelve new zero-day vulnerabilities within OpenSSL, the widely used open-source cryptographic library. The findings, announced on January 27, 2026, represent a historically significant concentration of vulnerabilities discovered by a single research team, particularly one leveraging artificial intelligence.
The Scale of the Discovery
These vulnerabilities, unknown to OpenSSL maintainers prior to disclosure, were responsibly reported and have been addressed in a coordinated security release. AISLE’s AI system is credited with discovering all twelve vulnerabilities during the fall and winter of 2025. Adding to this, AISLE previously identified three vulnerabilities in the Fall 2025 release, bringing their total contribution to 15 of the 14 CVEs assigned in 2025. This demonstrates a substantial impact on the security of a critical piece of internet infrastructure.
Severity and Persistence of the Vulnerabilities
The discovered vulnerabilities are not minor issues. One, designated CVE-2025-15467, is rated HIGH severity by OpenSSL and received a Critical score of 9.8 out of 10 on the NIST’s Common Vulnerability Scoring System (CVSS v3). This vulnerability is a stack buffer overflow in CMS message parsing, potentially exploitable remotely even without valid key material. Exploits for this vulnerability were rapidly developed and shared online following the disclosure.
Remarkably, three of the vulnerabilities had persisted in the OpenSSL code for over a quarter of a century, dating back to 1998-2000. One vulnerability even predates OpenSSL itself, originating in Eric Young’s original SSLeay implementation from the 1990s. These long-standing flaws evaded detection despite extensive auditing and fuzzing efforts – including millions of CPU-hours of testing – by numerous security teams, including Google’s.
AI’s Role in Patch Development
In five instances, the AI system developed by AISLE not only identified the vulnerabilities but also directly proposed the patches that were subsequently accepted into the official OpenSSL release. This highlights the potential of AI to move beyond vulnerability detection and actively contribute to remediation efforts.
Implications for Cybersecurity
This discovery underscores a significant shift in the cybersecurity landscape. AI is proving capable of both accelerating vulnerability discovery and aiding in the development of solutions. As Stanislav Fort of AISLE notes, AI is simultaneously collapsing the “median” (reducing the prevalence of simple vulnerabilities) and raising the “ceiling” (uncovering previously unknown flaws in critical infrastructure). This capability will be leveraged by both offensive and defensive security actors.
The Broader Context: Curl and AI-Generated Spam
Interestingly, this breakthrough coincides with a challenge faced by the curl project, which recently cancelled its bug bounty program due to a surge of AI-generated spam submissions. Despite the noise, curl also received five genuine CVE reports from AISLE, illustrating the dual impact of AI on vulnerability research.
Looking Ahead
The successful identification of these vulnerabilities by AISLE’s AI system marks a watershed moment for AI-powered software security. As AI technology continues to evolve, its role in securing the software infrastructure of human civilization will only grow more critical, particularly as strong AI systems become more prevalent. The necessitate to proactively address vulnerabilities before they can be exploited by malicious actors is paramount.
Sources:
- AI Found Twelve New Vulnerabilities in OpenSSL – Security Boulevard
- AI found 12 of 12 OpenSSL zero-days (while curl cancelled its bug – LessWrong
- AISLE Discovered 12 out of 12 OpenSSL Vulnerabilities – AISLE Blog
- AISLE Researchers Identify 12 New Security Vulnerabilities in OpenSSL Using AI-Driven Discovery – National Law Review
Related reading