Anthropic's Claude created exploits for FreeBSD and gained root access in four hours

Claude, working with researcher Nicholas Carlini, autonomously found a path from a FreeBSD vulnerability to two working exploits and code execution with root privileges within four hours. For the security industry, this is a telling moment: the model is no longer simply helping to analyze bugs, but is capable of developing them into practical attacks.

How It Happened

This involves vulnerability CVE-2026-4747 in the FreeBSD kernel. Based on the experiment description, Claude worked quite autonomously: analyzing system behavior, building hypotheses, testing them, and gradually assembling a working exploitation chain. The result was not a theoretical discussion about where an error might exist, but two fully functional exploits that could be run against machines without the patch installed. In other words, the model progressed from kernel analysis to a ready-to-use result.

The most important outcome was that the model achieved code execution with maximum privileges. In other words, the attack culminated in obtaining root access on vulnerable servers. Typically, this path requires a researcher to go through a series of manual iterations: studying the code, reproducing the bug, finding a technique to bypass protections, and turning it all into a reliable attack scenario. Here, AI completed a significant portion of this work itself and did so in approximately four hours. This is what makes the experiment particularly notable: it demonstrates not assistance with research, but complete execution of an attack task from analysis to result.

Why This Is Concerning

For the cybersecurity market, this is an important shift because it changes not only the speed of analysis but also the level of tool autonomy. Previously, generative models were typically used as assistants: explaining code fragments, suggesting ideas, helping with debugging. In this case, Claude went further and closed multiple stages of the attack chain without constant manual guidance. Therefore, the story appears to be one of the first publicly described examples where AI itself brought a vulnerability to a working attack tool.

• Rapid transition from discovery to exploitation
• Automation of researcher's repetitive steps
• Lowering the bar for creating dangerous PoCs
• Increased burden on teams responsible for patching

What is particularly troubling is that this was not a laboratory demonstration on a completely artificial test environment, but involved servers where the vulnerability had not yet been fixed. This brings the case closer to a real operational environment. If such capabilities become standard for strong models, the window between bug disclosure and the emergence of a working exploit could shrink dramatically. This means administrators and vendors will need to respond significantly faster than before.

Implications for Defense

The FreeBSD story simultaneously demonstrates both the value and the risk of such systems. On one hand, the same methods can be used in a defensive context: checking your own products, finding critical errors before attackers do, and testing the quality of fixes. On the other hand, the fact that the model can independently develop ideas into working exploits means an inevitable arms race between defensive and offensive AI applications.

The advantage will go to teams that already have an automated process for initial triage, prioritization, and rapid patch deployment. For infrastructure teams, the takeaway is quite practical: if a critical vulnerability is published, you can no longer count on a long grace period. Even if a detailed exploit has not yet appeared in public, modern models can help assemble it much faster than before. In such an environment, the value of segmentation, privilege minimization, change control, and continuous verification of which nodes truly lack updates increases. For old and poorly inventoried environments, this is a particularly dangerous scenario.

What This Means

The Claude and FreeBSD case demonstrates that generative AI is entering a phase where it affects not only developer productivity but also the pace of offensive cyber operations. For companies, this is a direct signal to reduce patch installation time and treat public CVEs as if a working exploit could appear almost immediately.