How AI Is Amplifying Legacy Software Vulnerabilities Today

A new analysis published by Dark Reading warns that the most pressing security risk posed by artificial intelligence is not the emergence of novel code flaws, but the rapid amplification of long‑standing vulnerabilities. The report, which cites a joint study by the SANS Institute and MITRE, found that 73 % of enterprise codebases still contain at least one unpatched instance of a known CVE, highlighting how AI tools are turning historically ignored bugs into immediate threats.

AI‑driven platforms such as large language models (LLMs) and automated fuzzing suites are now capable of ingesting the National Vulnerability Database (NVD) feeds, correlating CVEs with specific code patterns, and generating proof‑of‑concept exploits in minutes. In a recent demonstration, researchers used OpenAI’s GPT‑4 to auto‑generate an exploit for CVE‑2021‑44228 (Log4Shell) just 12 minutes after the CVE description was posted. Similarly, GitHub Copilot’s code‑suggestion engine has been shown to surface vulnerable Log4j usage in newly created projects, inadvertently spreading known insecure dependencies.

Nation‑state actors have taken notice. APT29 has been observed leveraging AI‑augmented scanners to locate unpatched instances of CVE‑2020‑1472 (ZeroLogon) within corporate VPN appliances, while the Lazarus Group has embedded AI‑generated phishing lures that deliver macros exploiting CVE‑2022‑22965 (Spring4Shell). These groups are also using LLM‑crafted social‑engineering messages that adapt in real time to a target’s publicly available information, dramatically increasing the success rate of credential‑harvesting campaigns.

Security teams must therefore evolve their vulnerability‑management lifecycles to incorporate AI‑enhanced detection and remediation. AI‑powered static‑analysis tools such as CodeQL 3.0, when integrated with LLM triage, can flag every occurrence of legacy buffer‑overflow patterns across a monorepo in seconds. Coupling these findings with threat‑intel feeds from platforms like Recorded Future and applying CVSS v4.0 scores enriched by AI‑driven risk modeling enables organizations to prioritize patching efforts with unprecedented precision. Simultaneously, hardening AI models themselves—enforcing prompt‑injection defenses, monitoring for model‑generated exploit code, and deploying AI‑centric intrusion‑detection systems—becomes essential to prevent the very tools designed to help defenders from becoming new attack vectors.