Twelve previously unknown vulnerabilities in OpenSSL were disclosed on January 27, 2026, all identified by an artificial intelligence system developed for automated security research. The findings represent an unusually high concentration of zero-day vulnerabilities discovered by a single team and highlight a growing role for AI in cybersecurity.
The AI system, known internally as AISLE, identified the vulnerabilities throughout the fall and winter of 2025, responsibly disclosing them to the OpenSSL team. Ten of the vulnerabilities have been assigned CVE-2025 identifiers, while two received CVE-2026 identifiers. Combined with three vulnerabilities discovered in the prior OpenSSL release, AISLE is credited with identifying 13 of 14 CVEs assigned to OpenSSL in 2025, and 15 in total across both releases.
Among the vulnerabilities discovered was CVE-2025-15467, a stack buffer overflow in the handling of CMS messages. Security researchers at SOC Prime have assessed this vulnerability as potentially remotely exploitable, even without valid key material. OpenSSL rated the vulnerability as HIGH severity, and the Common Vulnerability Scoring System (CVSS) assigned it a score of 9.8 out of 10, classifying it as CRITICAL. Exploits for CVE-2025-15467 have already been developed and are circulating online, according to reports.
Remarkably, three of the vulnerabilities identified by AISLE had existed in the OpenSSL codebase for over two decades, dating back to 1998-2000. One vulnerability predates OpenSSL itself, originating in Eric Young’s earlier SSLeay implementation from the 1990s. These long-standing vulnerabilities remained undetected despite extensive fuzzing and auditing efforts by multiple teams, including Google’s security researchers.
In five instances, the AI system not only identified the vulnerabilities but similarly proposed patches that were subsequently accepted into the official OpenSSL release. This direct contribution to remediation underscores the potential for AI to accelerate the vulnerability response process.
The discovery of these vulnerabilities comes as AI-assisted cybersecurity tools are increasingly being deployed by both offensive and defensive security teams. The speed and scale at which AI can analyze codebases are transforming the landscape of vulnerability research, raising questions about the future of cybersecurity and the ongoing arms race between attackers, and defenders.
