Mozilla shipped 423 Firefox security fixes in a single month. Mandiant confirmed 28.3% of CVEs are now exploited within 24 hours, with exploits routinely arriving before patches. Five Eyes published the first joint agentic AI risk framework. The AI infrastructure layer underneath your agents is now the most exposed software class on the internet, and one million scanned services prove it.
Safe AI AcademyMay 11, 202616 min read14 views
Mandiant's M-Trends 2026 just confirmed that 28.3% of disclosed CVEs are now exploited within 24 hours of disclosure, and that exploits are routinely arriving before patches. To put a five-year arc on that, Help Net Security's Patch Tuesday forecast walks the baseline: time-to-exploit was 700+ days in 2020, 44 days in 2025, and is now formally negative. 15 times defender-window compression in 5 years. The thing that used to be a sloppy talking point about "patching faster" is now an arithmetic problem. You cannot patch faster than the exploit when the exploit gets there first.
This week is the one where the industry stopped pretending the trend was hypothetical and started shipping structural responses to it. Let me walk through what shifted, because there is a clean causal chain from the AI capability story through the patch tsunami story through the framework response story, and I think it is the most important reading of the week.
The Patch Tsunami Stopped Being a Metaphor
The UK NCSC's "Prepare for the Vulnerability Patch Wave" advisory is the first government cyber agency to formally name what compliance teams have been muttering about since Mythos went live. Frontier AI is exposing decades of buried code debt at industrial scale and pace. NCSC's recommendations are blunt: automatic hot patching, update-by-default policies, and the assumption that AI will continue compressing the disclosure-to-exploitation window. The Register's writeup frames it as a "tsunami of flaws," and Computer Weekly extends the analysis to what happens when Patch Tuesday and frontier AI collide.
Stay Updated
Get notified when we publish new articles and course announcements.
You do not have to imagine the numbers. Mozilla confirmed it shipped 423 Firefox security fixes in April, five times the March rate, driven by Mythos-class AI vulnerability discovery. Dario Amodei's "Moment of Danger" comments at the Anthropic financial services event, covered by CNBC, put public numbers on what Anthropic has been seeing internally: roughly 300 Firefox vulnerabilities surfaced by Mythos versus about 20 by earlier Claude generations, with "tens of thousands" of latent flaws still industry-wide. Decrypt's coverage lays out the 6 to 12 month window framing.
The vendor response is showing up in patch cadence itself. Help Net Security's same forecast confirms Oracle is moving its Critical Patch Update from quarterly to monthly, and Mozilla is moving Firefox security releases from monthly to weekly. I cannot remember the last time the underlying release cadence of a major vendor changed by a factor of four. This is not a tooling update, it is a fundamental admission that the prior cadence was below the threat clock.
And the closed-source side of the discovery story finally cracked too. Wiz researchers used AI-powered reverse engineering to find CVE-2026-3854, a CVSS 8.7 command injection in GitHub Enterprise Server via git push. 88% of self-hosted instances were exposed before the patch, with cross-tenant exposure on github.com itself allowing read access to millions of repos. GitHub's own post-incident writeup is honest about the mechanics. The Hacker News' coverage is the one that called the headline correctly: this is among the first critical closed-source vulnerabilities found via AI in the wild.
The way I see it, that GitHub finding is the missing data point. We had been talking about AI vulnerability discovery as an open-source phenomenon. The thesis was, "well, the LLM can read the source." That thesis is dead. Mythos and similar systems are now finding closed-source bugs through binary and behavioral analysis. Your closed-source vendors do not have the security-through-obscurity moat they thought they had.
The Stack Under Your Agents Is the Most Exposed Software Class We Have
I want to stop and talk about something important. The substrate underneath every "agentic AI" pitch deck is on fire, and I do not think most compliance teams have looked at it carefully.
The Hacker News' research scanning one million exposed AI services is the headline data: AI infrastructure is more vulnerable, exposed, and misconfigured than any other software class previously studied. One million. That is the number of internet-reachable AI inference proxies, vector stores, gateways, MCP servers, and orchestration platforms sitting on default credentials or no credentials at all. If you build an internal AI gateway and somebody asks you about controls, this is the survey you cite.
Now the receipts. CVE-2026-42208, a pre-auth SQL injection in LiteLLM with a CVSS of 9.3, was actively exploited approximately 36 hours after disclosure. The vulnerable code path concatenates a Bearer Authorization header directly into a SELECT against the verification token table, before authentication is decided, reachable from any HTTP client that can hit the proxy port. The attacker, per Sysdig's technical analysis, targeted exactly the tables holding upstream provider API keys for OpenAI, Anthropic, and the rest. The Hacker News coverage and LiteLLM's own advisory describe what successful extraction looks like: it is potentially equivalent to compromising every upstream LLM provider account at once. CCB Belgium issued a "patch immediately" advisory. This is the fourth distinct LiteLLM CVE class disclosed in 2026.
Let me put it this way. If you proxy your enterprise's LLM traffic through a single gateway that stores every provider's credentials, that gateway is the single richest secrets surface in your environment. Compromise the gateway, and you do not just compromise one provider, you compromise every model your enterprise touches. SQL injection in 2026 should not be a thing. Pre-auth SQL injection in the credential-storage path of the most-deployed AI proxy in the world absolutely should not be a thing. And yet here we are, exploited at 36 hours.
Ollama got its own headline. Cyera's "Bleeding Llama" disclosure covers CVE-2026-7482, a CVSS 9.1 unauthenticated heap out-of-bounds read affecting approximately 300,000 internet-facing Ollama servers. A crafted GGUF model plus a few API calls leaks heap memory containing system prompts, other users' chat content, environment variables holding API keys and database credentials, in-flight code, and PII. SecurityWeek and Cybernews walk through the practical exploitation. Default posture: zero-auth, listen-all. 300,000 servers running model inference, leaking each other's chats and credentials.
FastGPT shipped a trio of related issues in the same window: CVE-2026-44284 is a stored-SSRF through MCP-toolchain create/update endpoints, CVE-2026-44286 is an unauthenticated SSRF allowing arbitrary HTTP to internal networks, and CVE-2026-42344 is a DNS-rebinding TOCTOU in isInternalAddress() letting attackers bypass the private-IP block by swapping DNS between the check and the fetch. AnythingLLM closed a cross-tenant TTS audio leak rated CVSS 8.9 where the workspace membership check happened but the chat-ownership check did not, so any workspace member could request any other member's audio. Two AI coding agent unauthenticated local-RCE CVEs (CVE-2026-25253 and CVE-2026-22812) joined the pile.
If you are running RAG, agent orchestration, or self-hosted inference inside your enterprise, this is your week to pull out the inventory and ask hard questions. Default credentials, network exposure, auth paths, cross-tenant isolation, and internal-only URLs that are actually externally callable through SSRF. The kitchen analogy I keep coming back to is this: you cannot build an AI control library when your ingredients are themselves on fire. Walk the inventory of every AI infrastructure component your developers have stood up, because some of them are listening on 0.0.0.0 with no auth right now.
The Five Eyes Just Wrote the Framework I Have Been Waiting For
I want to spend a section on this because I think it is the most important framework development of the year so far.
First, the five risk categories: privilege, design and configuration, behavioral, structural, and accountability. That is a clean taxonomy. It does not invent jargon. Privilege risk is what your IAM controls should cover. Design and configuration risk is what your secure-build pipeline should cover. Behavioral risk is what your runtime monitoring should cover. Structural risk is what your architectural review should cover. Accountability risk is what your governance program should cover. If you are designing a controls catalog for agentic AI, those five categories map cleanly to existing control families. You do not need new families, you need new instances inside existing families.
Second, and this is the part that should settle a long-running internal debate: the Five Eyes explicitly recommend folding agents into existing zero-trust, least-privilege, and defense-in-depth frameworks, rather than treating agentic AI as a new discipline. I have been saying this for a while, you do not stand up a parallel agent-control framework alongside your IAM framework. You extend IAM to recognize agent identity. You extend least-privilege scoping to cover agent actions. You extend defense-in-depth to include the action layer and the model layer. One universe of controls, mapped to many frameworks. The Five Eyes just published the doctrinal cover for this approach.
And NIST is closing the loop. A forthcoming NIST special publication on AI agent risk management will incorporate these recommendations, per CISA's note in the joint guidance. We are about to have a NIST control set that is structurally compatible with the Five Eyes taxonomy, which means audit evidence and control mappings will be portable across at least six government regimes. For someone who has spent a lot of time stitching together UK NIS2, IRAP, ISMAP, and the FedRAMP variants, the prospect of a coherent agent-control taxonomy across all five eyes is actually exciting. We are trailblazers on this, but the trail just got marked.
That is a lot of government showing up in one week. Five Eyes joint guidance. All five US frontier labs under classified pre-deployment evaluation. White House FDA-style EO under preparation. If you are building a compliance program and you have been treating "AI regulation" as some 2027 problem, that is not the calendar anymore.
The Defender Stack Is Reorganizing Around Frontier AI
The mirror image of the patch tsunami is what defenders are building, and the reorganization this week is real.
Both frontier labs now operate gated cyber-defender programs. OpenAI's GPT-5.5-Cyber began restricted rollout to "critical cyber defenders" via the Trusted Access for Cyber program. The UK AISI evaluation calls GPT-5.5-Cyber "one of the strongest models we have tested on our cyber tasks" and confirms it is the second system, after Mythos Preview, to complete their multi-step attack simulation end-to-end. Access is gated to government entities, critical infrastructure operators, security vendors, cloud platforms, and financial institutions. The Register's writeup is the cleanest framing I have read: both frontier labs now converge on "tiered release by verified defender identity" as a distinct control category.
The integration story is fast. Palo Alto Unit 42's "A New Era of Security: Frontier AI Defense" launched May 9, integrating GPT-5.5-Cyber plus Mythos plus Claude Opus 4.7 into continuous threat detection, with a claim that three weeks of frontier-AI testing equals one year of manual pentest. Take that ratio with a grain of salt, but accept the direction of travel. Anthropic's HackerOne bug bounty went public on May 9 with rewards from $100 to $10,000 for Claude and infrastructure vulnerabilities, previously invite-only. Cisco launched a Model Provenance Kit, an open-source Python CLI that fingerprints third-party AI models for origin and supply-chain provenance, complementing its AI Defense product line.
What This Means If You Actually Build Control Libraries
The thing is, every week I read what comes out and I try to ask myself what changes for the practical control work tomorrow. This week is one of the more consequential ones, so let me be direct.
First, the AI infrastructure tier is your highest-risk software class right now. Not the agent, not the model. The proxy, the inference server, the vector store, the MCP server, the orchestrator. If your AI gateway is LiteLLM and it has not been patched to 1.83.10-stable, you have a credential exposure problem this week. Same drill for Ollama, FastGPT, and AnythingLLM. Walk the inventory. The one-million-exposed-services number is not a survey result, it is your blind spot.
Second, the patch cadence question is now a board-level question. When Oracle moves from quarterly to monthly and Mozilla moves from monthly to weekly, your enterprise's patch SLA needs to be reconsidered against the negative time-to-exploit baseline. The SOC 2 language around "patches applied within thirty days" is suspicious by default now. Auditors are going to start asking for evidence that you can hot-patch high-CVSS issues in hours.
Third, the Five Eyes taxonomy is the cleanest agent-control taxonomy we have. Map your existing controls into the five categories, find your gaps, and start there. Do not invent a parallel control framework for agents; extend the existing ones with agent-specific instances. That is the common control philosophy and it is now the multi-government philosophy too.
Fourth, gated frontier AI access is a procurement question. If you are evaluating an AI-augmented SOC product and the vendor cannot articulate how they use GPT-5.5-Cyber, Mythos, or Claude Opus 4.7, ask. The capability differential is real. A vendor without frontier-tier access is not at the same level as one with it.
At the end of the day, the defender window closing is not the end of cyber defense, it is the end of leisurely cyber defense. The compliance practitioners who survive this transition will be the ones who built continuous control monitoring instead of point-in-time audit checklists, who built automated evidence collection instead of screenshot folders, who built AI-augmented analysis instead of manual review. I have said this in every conversation I have had with my team for the last year. This week is the receipts.