When o3 found a Zero-Day

The Beginning of AI-Native Security Research

written by
Mahesh Babu
published on
May 28, 2025
topic
No items found.

Security research has reached a pivotal moment. Sean Heelan's recent discovery of CVE-2025-37899, a remote zero-day vulnerability in the Linux kernel's SMB implementation, using OpenAI's o3 model exemplifies this shift. This isn't merely about a new vulnerability; it's about a transformative approach to identifying such flaws.

Why This Discovery Is Important

Heelan employed OpenAI's o3 model to analyze the ksmbd component of the Linux kernel, which handles SMB3 protocol operations. Without any specialized tools or frameworks—just direct interaction with the o3 API, he uncovered a use-after-free vulnerability in the 'logoff' command handler. This bug arises when concurrent connections to the server share objects in specific circumstances, leading to potential memory corruption and arbitrary code execution.

The significance lies not only in the vulnerability itself but in the method of discovery. o3's ability to reason about complex, concurrent code paths without human intervention marks a substantial advancement in AI-assisted security research.

Implications for Security Research and Red Teaming

This development suggests a future where AI models like o3 become integral to security workflows:

  • Automated Code Auditing: AI can assist in reviewing large codebases, identifying potential vulnerabilities that might be overlooked by human analysts.
  • Enhanced Red Team Operations: Red teams can leverage AI to simulate sophisticated attack vectors, improving the robustness of security assessments.
  • Accelerated Vulnerability Discovery: AI models can expedite the identification of complex bugs, reducing the time between vulnerability emergence and mitigation.

Kodem and the Value of Runtime Analysis

While o3 showcases the power of AI in static code analysis, Kodem complements this by focusing on runtime security. Kodem's platform integrates code and runtime analysis, providing real-time insights into application behavior. By observing applications during execution, Kodem identifies vulnerabilities that manifest only under specific runtime conditions. (kodemsecurity.com)

This approach ensures that security teams can detect and remediate issues that traditional static analysis might miss, enhancing overall application security posture.(OX Security)

The Future of Application Security

The convergence of AI-driven code analysis and runtime monitoring heralds a new era in cybersecurity:

  • Proactive Defense: Combining tools like o3 and Kodem enables organizations to anticipate and address vulnerabilities before they can be exploited.
  • Comprehensive Coverage: Integrating static and dynamic analysis ensures a holistic view of application security, covering both code and operational behavior.
  • Efficient Resource Allocation: By automating parts of the security assessment process, teams can focus their efforts on addressing the most critical issues.

In conclusion, the integration of AI models like o3 and platforms like Kodem represents a significant advancement in security research. By embracing these tools, security professionals can enhance their capabilities, proactively defend against emerging threats, and usher in a new standard for application security.

References

  • Heelan, S. (2025). How I used o3 to find CVE-2025-37899, a remote zero-day vulnerability in the Linux kernel’s SMB implementation.
  • Kodem. (2025). Runtime Intelligence for Application Security.
  • Kodem. (2025). Toward a Unified Application Data Model for Agentic AppSec.
  • Kodem. (2025). Kodem’s Approach to ADR: Rethinking Application Detection & Response. (kodemsecurity.com)

Blog written by

Mahesh Babu

Head of Marketing

More blogs

View all

How Rapyd Used Kodem to Shift from Volume to Impact

Rapyd, a global fintech platform operating in over 100 countries, partnered with Kodem to modernize its application security program. Faced with mounting vulnerabilities and a shortage of specialized AppSec talent, Rapyd needed more than another scanner—it needed a platform that could think like an expert. Kodem delivered measurable reductions in triage time, rework, and risk exposure by focusing on what attackers can actually exploit.

July 24, 2025

Vulnerability Alert: CVE-2025-25257: Pre-Auth SQL Injection to Full RCE in Fortinet FortiWeb Fabric Connector

CVE-2025-25257 is a critical vulnerability in Fortinet FortiWeb Fabric Connector. It allows unauthenticated SQL injection, which attackers escalate into remote code execution (RCE) on affected appliances.

July 21, 2025

Vulnerability Alert: CVE-2025-47812: Wing FTP Server Remote Code Execution Vulnerability (Null Byte Injection)

CVE-2025-47812 is a critical vulnerability affecting Wing FTP Server versions prior to 7.4.4. This severe security flaw enables unauthenticated attackers to execute arbitrary code remotely (RCE) by exploiting inadequate validation of input containing null bytes (%00) in the authentication process

July 12, 2025

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

The State of the Application Security Workflow

This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.

Get real-time insights across the full stack…code, containers, OS, and memory

Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.