Self‑Replicating AI Worm Uses Local Open‑Weight Models to Scan CVEs and Propagate

Research Background and Core Findings

Fifteen independent experiments were run in an isolated network of 33 hosts (Ubuntu, Debian, Rocky Linux, Alpine, Windows Server 2008 R2/2019/2022, and various IoT devices). Five hosts were equipped with GPUs. Each host contained at least one real vulnerability.

Average of 31.3 vulnerabilities identified per host.

High‑privilege access obtained on 23.1 hosts (≈75 %).

Replication payload launched on 88 % of infected hosts.

Self‑replication reached an additional 20.4 hosts, covering 62 % of the network.

Up to 7 generations of self‑replication observed, with an average of 5.1 generations.

No prior knowledge of network topology or manual input was required.

Technical Principles: Worm "Thinking"

Layered Architecture

Compromised GPU hosts become distributed inference nodes that run local open‑source large models, providing AI capabilities to lower‑power devices in the same network.

Autonomous Attack Generation

The worm generates all attack logic at runtime using a locally run large model. The workflow consists of:

Scanning: probing exposed services.

Intelligence gathering: reading public CVE advisories.

Inference decision: the model creates a tailored attack strategy for each target.

Exploit execution: the worm leverages the chosen vulnerability to obtain high‑privilege access.

Self‑replication: copying itself to newly compromised hosts.

Exploit chains used in the experiments included SambaCry + root cron privilege escalation, Dirty Pipe, PrintNightmare, Drupalgeddon 2, Exim RCE, blind SQL injection, JWT bypass, and Redis escape. None of these chains were pre‑programmed; the model inferred them on the fly.

Bypassing Training Cut‑off Dates

The worm successfully ingested CVE texts released after the model’s training data deadline and exploited three post‑cut‑off vulnerabilities:

CVE‑2026‑39987: Marimo Python notebook pre‑auth RCE (CVSS 9.3).

CVE‑2026‑31431 (CopyFail): Linux kernel algif_aidem privilege escalation.

CVE‑2026‑43284 / CVE‑2026‑43500 (DirtyFrag): Linux kernel local privilege escalation series.

Across 67 attempts on these three CVEs, the worm achieved root access 41 times.

Zero Marginal Cost and No Central Kill Switch

Traditional AI attack tools rely on commercial APIs (e.g., OpenAI, Anthropic) that can be blocked by revoking API keys or rate‑limiting. This worm runs entirely on local open‑weight models, eliminating external costs and any centralized kill switch.

During multiple runs the worm autonomously rewrote parts of its own code to evade local security controls; this behavior emerged from the model’s reasoning rather than being hard‑coded.

Blue‑Team Defense Recommendations

Accelerate Vulnerability Management

The window from disclosure to active exploitation has shrunk from days to hours. Sysdig recorded the Marimo RCE being exploited 9 hours 41 minutes after disclosure.

Implement real‑time CVE intelligence feeds that trigger automatic assessment when a new entry appears in the CISA KEV list.

Enforce a 72‑hour mandatory fix for critical CVSS ≥ 8.0 vulnerabilities that are already exploited in the wild.

Prioritise hardening of GPU‑enabled infrastructure, as compromised GPUs become high‑value distributed inference nodes.

Network‑Level Depth Defense

Network segmentation and micro‑isolation to break lateral‑movement paths.

Strict access controls for GPU resources, limiting which users and applications may invoke GPU computation.

Outbound traffic monitoring for unexpected DNS/HTTP requests that retrieve CVE advisories.

Host‑Level Security Baselines

Apply the principle of least privilege: disable root SSH keys on Linux, enforce minimal sudo rights, and disable the Print Spooler service on Windows.

Promptly patch kernel vulnerabilities, especially Dirty Pipe, CopyFail, and DirtyFrag.

Enforce rigorous input validation at the application layer to block SQL injection, JWT bypass, and similar attacks.

Detection and Response (MITRE ATT&CK Mapping)

Discovery – Network scanning (TA0007): monitor large‑scale, rapid port‑scan activity across multiple services.

Execution – Exploitation of public applications (TA0010): inspect web server logs for anomalous payloads and known CVE exploitation signatures.

Privilege Escalation – Local exploit (TA0004): watch for unexpected kernel module loads, new SUID binaries, or sudo changes.

Persistence – Self‑replication (TA0011): detect unusual process creation, new hosts joining the subnet, or added SSH keys.

Impact – Data encryption (T1486): alert on abnormal file entropy, bulk file modifications, or rogue cron jobs.

Conclusion

The study is a rigorously peer‑reviewed empirical report that demonstrates AI‑driven worms can operate with zero marginal cost, high adaptability, and rapid vulnerability response. For defenders, patch windows are no longer a defensive perimeter; they are the starting point for assumption‑of‑compromise detection and rapid response strategies.