ChatGPT Creates Working Exploit for CVEs Before Public PoCs Released

In a development that could transform vulnerability research, security researcher Matt Keeley demonstrated how artificial intelligence can now create working exploits for critical vulnerabilities before public proof-of-concept (PoC) exploits are available.

Keeley used GPT-4 to develop a functional exploit for CVE-2025-32433, a critical Erlang/OTP SSH vulnerability with a maximum CVSS score of 10.0. This exploit showcases AI’s growing capabilities in cybersecurity.

“GPT-4 not only understood the CVE description, but it also figured out what commit introduced the fix, compared that to the older code, found the diff, located the vuln, and even wrote a proof of concept. When didn’t it work? It debugged it and fixed it too,” Keeley explained in his detailed blog post published on April 17, 2025.

The vulnerability, disclosed on April 16, 2025, affects Erlang/OTP’s SSH server implementation, allowing unauthenticated remote code execution. The critical flaw arises from improper handling of SSH protocol messages during the early stages of a connection, enabling attackers to execute arbitrary code on vulnerable systems with elevated privileges.

Keeley’s approach began when he noticed a tweet from Horizon3.ai researchers mentioning they had created a PoC but hadn’t published it. Using this limited information, he prompted GPT-4 to analyze the vulnerability. The AI systematically:

1. Located different versions of the code
2. Created a tool to diff the vulnerable and patched code
3. Identified the exact cause of the vulnerability
4. Generated exploit code
5. Debugged and fixed the code until it worked

“This opens up some serious questions about how quickly AI can assist in vulnerability research or even automate entire chunks of it. A few years ago, this process would have required specialized Erlang knowledge and hours of manual debugging. Today, it took an afternoon with the right prompts,” Keeley noted.

Security experts express both enthusiasm and concern about this development. While AI democratizes access to security research, it potentially lowers barriers for malicious actors to develop exploits. Only a day after the vulnerability’s disclosure, multiple researchers had created working exploits, with Platform Security publishing their AI-assisted PoC on GitHub.

The affected Erlang/OTP versions (OTP-27.3.2 and prior, OTP-26.2.5.10 and prior, OTP-25.3.2.19 and prior) have been patched in newer releases. Organizations using Erlang/OTP SSH servers are urged to update immediately to fixed versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20.

This case highlights how AI is reshaping the cybersecurity landscape. As these tools become more sophisticated, the time between vulnerability disclosure and exploit development continues to shrink, putting increased pressure on organizations to implement rapid patching strategies.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy