Study: 1 Million AI Servers Exposed Online in 2026

Summary

For the first time, criminals have verifiably used artificial intelligence to build a so-called zero-day exploit - a ready-made weapon for a previously unknown security flaw. Google's security team spotted the planned AI cyberattack and stopped it before any damage was done. The attack was meant to bypass the two-factor authentication of a widely used administration tool. For Europe, the case is a clear warning sign: AI lowers the barrier for attackers and makes attacks faster and cheaper - with consequences for companies, public authorities and, ultimately, ordinary citizens.

AI as a Weapon: Hackers Had a Machine Build the First Zero-Day Exploit

It is the moment experts have been warning about for years: an artificial intelligence helped prepare a real cyberattack. In May 2026, Google's security division reported that a criminal group had apparently used an AI model to find an unknown security flaw and turn it into a working weapon. This AI cyberattack was stopped before it could cause serious harm. Yet it marks a turning point - for Europe too.

What exactly happened - and why it is new

The Google Threat Intelligence Group, or GTIG, tracks how attackers operate around the world. In its latest report, it describes for the first time a case in which hackers used AI to develop a zero-day exploit. A zero-day is a weakness the manufacturer does not yet know about. The name comes from the fact that developers had zero days to fix it. Such flaws are especially dangerous because no protection exists yet.
In this case, the attackers targeted a popular open-source program used to manage servers. Their goal was to bypass two-factor authentication, the second security check that is supposed to keep our accounts safe. The malicious code was written as a short Python script, and the plan was a mass attack on as many systems as possible at once. Google informed the vendor and the authorities, preventing widespread use.
What is striking is how the experts spotted the AI's fingerprints. The code contained telltale signs: an invented risk score, unusually detailed explanatory notes and a structure typical of language models. According to the company, Google's own AI model, Gemini, was not involved. The attack was attributed to a financially motivated cybercrime group.

What it means for Europe - and what you can do

The case affects Europe directly, even though the target was not named. The real message is this: AI lowers the entry barrier for attackers. Tasks that once required specialist knowledge can now partly be handed to a machine. That makes attacks faster, cheaper and more numerous - and Europe's dense base of industrial companies is an attractive target.
This is no future scenario. Another finding from the report shows that groups linked to Russia are already using AI-assisted malware against organisations in Ukraine. Such tools can change their own code to avoid detection. Europe is therefore not just an observer but already a battlefield. This is exactly where the EU rules NIS2 and DORA come in, requiring many companies and authorities to become more resilient.
So what can you actually do? For companies: install updates immediately instead of postponing them. Switch two-factor authentication to modern, phishing-resistant methods. Reduce the number of systems directly reachable from the internet, keep an eye on your devices and test your backups regularly. For individuals, the basics matter most: use strong, unique passwords, rely on a password manager and turn on the second security check wherever possible. Stay sceptical of emails and messages that pressure you into acting quickly.

Conclusion and outlook

The good news: defenders use AI too. Google itself runs programs that automatically find weaknesses and can even repair them. A race is underway between attack and defence, and speed decides who wins. For Europe, this calls not for panic but for preparation. Anyone who treats security as an ongoing process, takes updates seriously and trains their staff is far better protected. The first AI-built zero-day is a wake-up call - and at the same time a chance to act now, before the next attack arrives.
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access
Google Blog (offizielle Zusammenfassung): https://blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/google-threat-intelligence-group-report/
CNBC: https://www.cnbc.com/2026/05/11/google-thwarts-effort-hacker-group-use-ai-mass-exploitation-event.html
SecurityWeek: https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/
SC Media: https://www.scworld.com/news/google-reports-first-known-ai-assisted-zero-day-exploit-in-the-wild
Der Spiegel (Ausgangsartikel): https://www.spiegel.de/netzwelt/web/google-forscher-vereiteln-offenbar-ki-hackerangriff-a-4d494ea4-dbd9-48d7-85a8-2bac27b55e7d
Created with