AI Models Find 22 New Firefox Vulnerabilities in Two Weeks, Exposing Critical Security Shift
Anthropic's Claude Opus 4.6 discovered 22 novel vulnerabilities in Firefox, while OpenAI's Codex Security identified over 10,000 high-severity issues across repositories.
AI Becomes Both Hunter and Hunted in Security Landscape
The cybersecurity world witnessed a paradigm shift this past week as AI models demonstrated unprecedented capability in vulnerability discovery, while simultaneously becoming exploitation targets themselves. Anthropic’s Claude Opus 4.6 identified 22 novel vulnerabilities in Mozilla Firefox during a two-week February research period, representing nearly a fifth of all high-severity Firefox vulnerabilities remediated in the previous year.
Meanwhile, OpenAI’s Codex Security scanned over 1.2 million commits in the past 30 days, uncovering 792 critical and 10,561 high-severity vulnerabilities across major open-source projects including OpenSSH, PHP, and Chromium.
The Double-Edged Nature of AI Security
These developments highlight AI’s dual role in cybersecurity. While Claude Opus 4.6’s success demonstrates AI’s potential to accelerate defensive security research, recent attacks show the flip side. An AI-powered bot called “hackerbot-claw” successfully targeted CI/CD pipelines across Microsoft, Datadog, and Aqua Security repositories between February 21-28, harvesting developer secrets through exploitable GitHub Actions workflows.
Additionally, vulnerabilities in AI systems themselves are emerging. Google’s Chrome Gemini AI faced a high-severity privilege escalation bug (CVE-2026-0628, CVSS 8.8), while Microsoft’s Azure MCP Server contained a server-side request forgery vulnerability (CVE-2026-26118, CVSS 8.8).
Irish and European Preparedness Concerns
For Irish organizations, these developments expose critical preparedness gaps. Recent surveys indicate only 57% of Irish businesses are increasing cybersecurity investments, below the global 60% average. More concerning, 57% of Irish firms cite “unclear risk appetite” as their greatest barrier to using AI for cyber defence, significantly above the global 39% average.
As the EU AI Act transitions into Irish law, these vulnerabilities underscore the urgency of robust AI security frameworks. The legislation will prohibit manipulative AI systems, but implementation timelines may not match the accelerating threat landscape.
Racing Against the Exploitation Window
The most alarming trend is the collapsing “exploitation window” – the time between vulnerability disclosure and weaponization. In 2025, over 32% of vulnerabilities were exploited on or before CVE issuance day. With AI models now capable of discovering vulnerabilities at unprecedented scale and speed, traditional 90-day disclosure windows may become obsolete.
Open Questions for the Industry
Several critical questions remain: Can traditional vulnerability management processes scale to match AI-driven discovery? How will the balance shift between AI-powered attack and defence capabilities? And critically for Irish organizations – are current cybersecurity investments sufficient to defend against AI-enhanced threats while leveraging AI for protection?
The evidence suggests we’re entering an era where AI security capabilities will determine organizational resilience, making immediate strategic investment in AI-aware cybersecurity essential for Irish businesses.