Microsoft's AI-Driven Discovery Tool Finds 16 Windows Vulnerabilities, Including Four Critical Remote Code Execution Bugs

Introduction

Microsoft has unveiled a groundbreaking AI-powered vulnerability discovery system that identified 16 previously unknown security flaws in Windows, four of which are critical remote code execution (RCE) vulnerabilities. Security analysts believe this development could fundamentally change how software vulnerabilities are detected and addressed in the future.

The system, code-named MDASH, was developed by Microsoft's Autonomous Code Security team in collaboration with the Windows Attack Research and Protection group. According to a Microsoft blog post announcing the system, MDASH will enter private preview for enterprise customers next month.

All 16 vulnerabilities were patched in Microsoft's May 12 Patch Tuesday release, underscoring the real-world impact of the AI-driven approach.

"Cyber defenders are facing an increasingly asymmetric battle," Microsoft wrote in the blog post. "Attackers are using AI to increase the speed, scale, and sophistication of attacks."

Critical Windows Components Affected

The four critical vulnerabilities target core Windows components widely deployed across enterprise environments. Among them is CVE-2026-33827, a remote unauthenticated use-after-free flaw in the Windows IPv4 stack, exploitable via specially crafted packets carrying the Strict Source and Record Route option.

Another critical flaw, CVE-2026-33824, involves a pre-authentication double-free issue in the IKEEXT service, affecting RRAS VPN, DirectAccess, and Always-On VPN deployments.

Two additional critical vulnerabilities were found in Netlogon and the Windows DNS Client, both carrying CVSS scores of 9.8, indicating the highest level of severity.

Other Important Flaws

The remaining 12 vulnerabilities, rated "Important," include a mix of denial-of-service, privilege-escalation, information disclosure, and security feature bypass flaws. These affect components such as tcpip.sys, http.sys, ikeext.dll, and telnet.exe, according to Microsoft.

How MDASH Orchestrates AI Agents

MDASH operates by orchestrating more than 100 specialized AI agents across multiple frontier and distilled models. Each agent is assigned to a different stage of the vulnerability discovery pipeline, creating a highly automated and efficient workflow.

• Scanning agents analyze source code for potential flaws.
• Validation agents confirm whether findings are genuine.
• Reproduction agents attempt to construct triggering inputs that can reliably reproduce the issue before it reaches a human engineer for review.

As Taesoo Kim, Microsoft vice president for agentic security, explained: "The model is one input. The system is the product."

The architecture is intentionally designed to remain largely model-agnostic, allowing Microsoft to swap underlying AI models without rebuilding the broader orchestration pipeline. This flexibility is critical because MDASH arrives only weeks after Microsoft announced Project Glasswing, a partnership with Anthropic and others to evaluate AI-driven vulnerability discovery using Anthropic's Claude Mythos Preview model.

Implications for Cybersecurity

Microsoft's approach positions the company as both platform owner and security vendor, leveraging AI to stay ahead of attackers. The system's ability to find critical RCE vulnerabilities in widely used Windows components highlights the potential for AI to transform vulnerability discovery from a manual, time-intensive process into an automated, scalable operation.

As attackers increasingly adopt AI to enhance their operations, Microsoft's MDASH system represents a proactive defense, aiming to close the gap between discovery and remediation. Enterprise customers can expect to see further advancements as the private preview unfolds.