Last roundup covered OpenClaw’s nine CVEs in four days, Flowise’s third actively exploited RCE, and CrewAI’s trust model collapsing under basic prompt injection. This week, Intruder researchers scanned two million hosts and found one million exposed AI services — calling it the worst infrastructure they’ve ever investigated. Meanwhile, teenagers with no coding experience are using commercial chatbots to breach government agencies, the exploit window has shrunk to under 24 hours for nearly a third of all CVEs, and OpenAI is responding with Daybreak, a cybersecurity initiative built on GPT-5.5.
One Million Exposed AI Services, Zero Authentication
Security firm Intruder scanned over two million hosts via certificate transparency logs and found one million exposed AI services. Their conclusion was blunt: “The AI infrastructure we scanned was more vulnerable, exposed, and misconfigured than any other software we’ve ever investigated.”
The core problem is depressingly familiar. Authentication simply isn’t enabled by default in many AI projects, and teams are deploying them to the public internet without changing that. Intruder found real user data, company tooling, and full conversation histories sitting exposed to anyone who knew where to look.
The specific findings are damning across every category. OpenUI-based chatbot instances had full LLM conversation histories accessible to the public. Claude-powered services were leaking API keys in plaintext. Multiple instances were storing large volumes of personal conversations — including NSFW content — with no access controls.
Agent management platforms fared no better. Intruder found n8n and Flowise instances deployed without authentication, including one Flowise instance that exposed the entire business logic of an LLM chatbot service along with credential lists and third-party integrations. Over 90 instances across government, marketing, and finance sectors had accessible workflows, prompts, and outbound access to other systems.
Then there’s Ollama. Of the 5,200+ Ollama API servers Intruder tested, 31% responded to basic prompts without any authentication. More troubling: 518 of those servers were wrapping paid frontier models from Anthropic, DeepSeek, Google, and OpenAI — meaning someone is paying for API access and then exposing it to the entire internet.
Within a couple of days of lab work, researchers achieved arbitrary code execution in one popular AI project. The systemic issues they flagged: insecure defaults, misconfigured Docker setups, hardcoded credentials, applications running as root, and weak sandboxing around code interpretation.
Teenagers Are Hacking Governments With ChatGPT
The attacker profile for sophisticated breaches has fundamentally changed. A pattern that emerged in late 2025 is now impossible to ignore: people with no technical background are executing enterprise-scale compromises using commercial AI chatbots.
In December 2025, a 17-year-old with no coding experience used AI to extract personal data from seven million users of a Japanese internet café chain. The same month, an individual used Claude Code and ChatGPT to breach roughly ten Mexican government agencies, exfiltrating approximately 150GB of data including 195 million taxpayer records, voter records, civil registry files, and government employee credentials. The attacker used over 1,000 Spanish-language prompts to bypass AI guardrails, framing requests as “bug bounty” research and convincing the chatbot to write exploit scripts and automate data theft.
In February 2025, three teenagers aged 14, 15, and 16 deployed ChatGPT to build tools targeting Rakuten Mobile approximately 220,000 times, using the proceeds on gaming consoles and gambling.
In July 2025, a single actor using Claude Code ran an extortion campaign against 17 organizations in one month, developing malicious code, organizing stolen files, and analyzing financial records.
The numbers behind this shift are stark. Malicious packages in public repositories jumped from 55,000 in 2022 to 454,600 in 2025. Cloud intrusions increased 35% throughout 2025. On the SWE-bench coding benchmark, AI resolved 33% of GitHub issues in August 2024 — by December 2025, that figure was 81%. The tools are getting better faster than defenses can adapt.
The Exploit Window Has Effectively Closed
Mandiant’s M-Trends 2026 report found that 28.3% of CVEs are now exploited within 24 hours of disclosure. Time-to-exploit has dropped from over 700 days in 2020 to 44 days on average in 2025 — and for nearly a third of vulnerabilities, it’s under a day.
The defense side can’t keep up. Average remediation time for high and critical CVEs sits at 74 days. Forty-five percent of vulnerabilities in large enterprise systems are never remediated at all.
As Chainguard CEO Dan Lorenc put it: “The complexity and scale of vulnerability management has outgrown the capabilities of most organizations.”
Palo Alto Networks’ Unit 42 team put a timeline on it: organizations have a three-to-five-month window to get ahead before AI-driven exploits become the norm. Their first frontier AI-driven vulnerability scan covered over 130 products across three platforms and turned up 26 CVEs and 75 total issues in a single run — versus a typical monthly volume of fewer than five CVEs found through conventional methods.
OpenAI Launches Daybreak
OpenAI’s answer to the AI security crisis launched on May 12. Daybreak combines frontier model capabilities with Codex Security to help organizations find and patch vulnerabilities before attackers reach them.
The initiative runs on three GPT-5.5 model variants: a standard version with general safeguards, GPT-5.5 with Trusted Access for Cyber for verified defensive work, and GPT-5.5-Cyber — a permissive model specifically designed for red teaming and penetration testing. The capabilities include secure code review, threat modeling, vulnerability identification in isolated environments, patch validation, and dependency risk analysis.
Major security vendors are already integrating: Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler are all listed as partners. Access is currently tightly controlled through OpenAI’s sales team.
Whether Daybreak can meaningfully close the gap between AI-powered offense and defense remains to be seen. The attackers already have commercial AI tools — they’ve been using them for months. The question is whether purpose-built defensive AI can outpace the improvised offensive use that’s already causing damage.
The Pattern This Week
Seven weeks into these roundups and the picture keeps getting worse. Last month it was individual frameworks shipping with catastrophic defaults. This month it’s the entire AI infrastructure ecosystem — one million services exposed, no authentication, real data leaking.
The teenager problem is arguably more alarming than the infrastructure problem. You can fix a misconfigured Ollama server. You can’t un-ship AI capabilities that let a 14-year-old breach a telecom 220,000 times. The guardrails on commercial AI models are being bypassed through sheer persistence — 1,000 prompts to jailbreak Claude for the Mexican government breach — and the providers are struggling to stay ahead.
The 24-hour exploit window combined with 74-day average remediation means the math simply doesn’t work anymore. Palo Alto’s assessment of a three-to-five-month window before AI-driven exploits go mainstream feels generous.
What You Can Do
If you’re running Ollama: Check whether your API is bound to 0.0.0.0 and change it to 127.0.0.1. If you’re wrapping paid API keys through Ollama, verify those aren’t accessible from the public internet.
If you’re running any AI agent platform (n8n, Flowise, or similar): Assume it deployed without authentication by default. Verify. Put it behind a reverse proxy with authentication if you need it internet-accessible. Audit what credentials and workflows are exposed.
If you’re responsible for patching: The 74-day average is no longer acceptable. Prioritize any CVE in AI tooling — these are being actively scanned and exploited. Consider whether you can eliminate entire vulnerability classes rather than playing whack-a-mole with individual patches.
If you’re building AI applications: Don’t ship with authentication disabled by default. Don’t bind to all interfaces by default. Don’t run as root. These aren’t novel security practices — they’re decades old, and the AI ecosystem is ignoring all of them.