Another Day, Another CVE

Gauransh Mathur

Gauransh Mathur

4 min read
Share
Another Day, Another CVE
Photo by Clint Patterson / Unsplash

Everyday my routine has become to check and hope that there is not another vulnerability that I now have to research and think about my own personal setups and systems but also systems at work.
This wasn't the case remotely a few months ago. Everything was normal nothing urgent needed to be patched the next day. We could see what was happening and it wasn't a constant state of panic

But now every few days something else has a new issue, from supply chain attacks like Trivy Scan, or one of the biggest Linux vulnerabilities, Copy Fail, to a Github exploit to tools like Bitwarden cli being taken advantage of and even a latest linux vulnerability Dirty Frag. You might think how its a fault of a single person being exploited using social engineering, or its because people don't care about security anymore but it goes much more deeper than that.

CVE volume has increased. Below is a table from https://www.cve.org/about/Metrics

2023 - > 2025 already we increased by 40%. And its not stopping now.

AaaH ( AI as a Hacker )

We have had AI for a while now, its a very useful tool that most if not all people use in some way for something because its just easier now,

What we did not expect is how easy it made it to be able to actually help researchers or any attacker to more quickly start to figure out exploits. The better AI gets the faster it becomes to find different exploits in the hand of the right or wrong person.

We are hitting a stage where more and more people understand much better how to control AI to do the work we need it to. We can even setup Agents with different skills and MCP servers to essentially run tests or run anything. You don't need to brute force anything because now you have a smart and more efficient tool that improves as it does things, it can store memory and become better at doing the same task over and over.

Complacency

Working in the industry you notice that unless you are on the deployment side of things most don't really care about security as much. Things like these don't worry most because they can't be hacked in their own local laptop.
Most people are also using AI so they assume it comes with everything in built. You don't have proper security understanding, proper configuration built in. People are leaving API keys and ENV var's openly for anyone to see, thats why this occurs.

Social Engineering is getting more and more powerful now, phishing and spoofing is much harder to be easily spotted because AI can help do things better.
People are not doing their due diligence and it shows because people can easily get hacked because there are so many advanced techniques with spoofing to get someone to download the wrong file and everything is comprimised

What is the solution?

There isn't one single solution.

We are in a place where each day there is a new vulnerability, there are new exploits, there are new issues popping up that we might have never known without AI.

You might always have to keep waking up worrying about the next problem, the next attack and the victim could be you. And you did nothing wrong, you just were too slow in patching the issue that you didn't know existed.

Small silver lining

As much as I want to scare you, there is a hope.

For too long, too many companies, too many dev's have stopped caring about security. We see a lot of Vibe-coded / Multi-Agent SaaS out there. We have big companies with bad setup of their security on their websites.

With this fear now, everyone is going to start to care. We will get better code, more refined and systematic products that will start to feel safe. And the benefit of not having to worry so much may not go away but this will make it harder to break these systems because the same AI will work for the good guy as well.

Read more