arxiv.org via Reddit

Toronto AI Worm Exploits 74% of Mixed Network, No Cloud Needed

safety cybersecurity agents ai-security agentic-ai malware

Key insights

  • The worm exploited 73.8% of a 33-host heterogeneous network and replicated to 61.8% of hosts across 15 independent experiments.
  • Running entirely on locally-hosted open-weight LLMs with no commercial API dependency makes vendor-side safety controls structurally irrelevant to containment.
  • The worm achieved 61.2% success against hosts running 2026-disclosed vulnerabilities by operationalizing new CVEs supplied at runtime.

Why this matters

The shift from fixed-exploit worms like WannaCry to adaptive AI worms means patching a single known vulnerability no longer stops propagation, since each target receives a custom attack strategy generated at runtime. Running on locally-hosted open-weight models rather than commercial APIs means every existing vendor-side guardrail, including model policies, rate limits, and content filters, is bypassed by design rather than by accident. Security teams at organizations running mixed Linux, Windows, and IoT environments now face malware that can operationalize newly disclosed vulnerabilities with no gap between CVE publication and active exploitation.

Summary

Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow have demonstrated a working proof-of-concept computer worm, powered by a locally-run open-weight LLM, that spread across a 33-host isolated network spanning Linux, Windows, and IoT devices without relying on any commercial AI platform. Across 15 independent experiments, the worm identified an average of 31.3 vulnerabilities, exploited 73.8% of the network to elevated access, and replicated itself to 61.8% of hosts, reaching up to 7 generations of self-replication. Essentially: (University of Toronto, Vector Institute) showed that a single-GPU AI agent generating tailored attack strategies per target can replicate across a heterogeneous corporate network while rendering vendor-controlled API safety measures structurally irrelevant. - The worm achieved 61.2% success against three hosts running 2026-disclosed vulnerabilities, operationalizing new CVEs at runtime with no lag after disclosure. - Self-replication succeeded 88% of the time on successfully exploited hosts; most failures came from malformed payloads rather than incorrect strategy. - The system runs on an NVIDIA A100 (80GB VRAM) or RTX PRO 6000 Blackwell, keeping all reasoning fully local. The paper concludes that autonomous, self-replicating AI-driven adversaries are no longer theoretical: they are a present capability.

Potential risks and opportunities

Risks

  • Corporate security teams running mixed Linux, Windows, and IoT environments face immediate reassessment pressure: the paper's 33-host FakeCorp baseline with no endpoint detection deployed mirrors common SME network topologies.
  • Open-weight LLM providers face regulatory scrutiny if the unnamed 2025 model is identified, since permissive open licenses allow local deployment entirely outside vendor-controlled safety infrastructure.
  • The full attack methodology, including the eight-phase propagation pipeline and reasoning-graph architecture, is now publicly available on arXiv, lowering the expertise and resource barrier for threat actors to replicate the capability.

Opportunities

  • Network detection and response vendors (Darktrace, Vectra AI, ExtraHop) gain a concrete eight-phase reference architecture to build detection signatures against AI worm behavior including beacon deployment and swarm coordination traffic patterns.
  • Endpoint security vendors targeting IoT and heterogeneous networks (CrowdStrike Falcon, SentinelOne Singularity) can position directly against the zero-endpoint-detection gap the paper identifies as the primary enabler of 73.8% exploitation rates.
  • Hardware-level attestation and confidential computing vendors (Intel TDX, AMD SEV) can market GPU-level isolation as a direct architectural counter to the worm's local-LLM deployment model demonstrated on NVIDIA A100 hardware.

What we don't know yet

  • Which specific open-weight LLM was used: the paper describes it only as published in 2025 without naming the model, leaving the barrier to independent replication unclear.
  • Whether the researchers coordinated disclosure with CERT/CC, CISA, or IoT device vendors before publishing the full eight-phase attack methodology on a public preprint server.
  • Whether the worm could operate on consumer-grade hardware below the NVIDIA A100 (80GB VRAM) threshold, since smaller GPU deployment paths are not explored in the paper.

Originally reported by arxiv.org

Read the original article →

Original headline: arXiv 2606.03811: AI-Driven Worm Propagates Across Heterogeneous Networks by Parasitically Acquiring Compute for Autonomous Reasoning