The AI Worm Worked. Your Gateway Is Under Attack.

Researchers at the University of Toronto built a computer worm powered by free AI models. It spread to 27 of 33 systems in a simulated enterprise network. That same week, CISA flagged an actively exploited vulnerability in LiteLLM, one of the most popular AI gateways. And the Cloud Security Alliance reported that one in five financial firms have already been breached through their AI tools.

Three things broke in the same week, all pointing at the same gap: the infrastructure around AI agents is expanding faster than anyone is defending it. Not the agents. The plumbing underneath them.

The worm that didn't need Mythos

The CleverHans Lab at the University of Toronto built a self-replicating computer worm using small, free, locally hosted LLMs. No API access, no frontier model, no Anthropic Mythos. Just open-weight models running on consumer GPUs.

Over seven days, the worm spread to 27 of 33 systems. It identified vulnerabilities with 82% accuracy and exploited them at a 44% success rate per attempt. The low per-attempt rate did not matter because every compromised machine became a new attacker. Swarm parallelism compensated for individual misses.

The worm exploited known CVEs from the CISA Known Exploited Vulnerabilities catalog, OWASP Top 10 weaknesses like SQL injection and missing access control, and common misconfigurations like reused passwords. It could integrate new vulnerability knowledge into its database within hours of public disclosure.

The researchers' key finding: you do not need Claude Opus or GPT-5.5 to run autonomous attacks. Gadi Evron, CEO of Knostic and co-creator of the RAPTOR pentesting framework, told CSO Online that previous-generation models combined with the right agentic harness can match or exceed frontier model performance on security tasks.

Daniel dos Santos, VP of research at Forescout, said his team has seen cybercriminals on underground forums shifting to open-source and commercial models rather than purpose-built crime models. The capabilities are commodity now.

CISA's LiteLLM alert: your AI gateway is a target

The LiteLLM vulnerability is not a proof-of-concept. It is being exploited right now. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities catalog on June 9, giving federal agencies until June 22 to patch.

LiteLLM is an open-source AI gateway used to unify access to multiple LLM APIs. Teams deploy it to manage API keys, route traffic, and avoid vendor lock-in. The vulnerability lets any authenticated user, including low-privilege accounts, execute arbitrary commands on the proxy host. Horizon3.ai researchers confirmed it can be chained with CVE-2026-48710 ("BadHost"), an authentication bypass in Starlette, to achieve unauthenticated remote code execution.

This is the second LiteLLM flaw weaponized in a month. In March, BerryAI was hit with a supply chain attack that pushed malicious LiteLLM versions to PyPI.

The attack chain is straightforward: compromise the gateway, steal API keys and model credentials stored on the proxy, move laterally into connected AI infrastructure, pivot to downstream systems. The middleware layer that was supposed to make agent deployment easier just became the easiest way to compromise everything it connects to.

Financial services: deployed fast, secured slow

The Cloud Security Alliance surveyed 340 IT and security professionals at financial services firms between January and March 2026. The headline finding is blunt: "Financial institutions have deployed AI faster than they have secured it."

Sixty-two percent have deployed AI agents. Ninety-three percent of those gave agents some level of autonomy. One-fifth experienced a security incident tied to AI tools. Twenty-one percent do not even know whether they have been breached through misconfigured AI tools.

The biggest concern, cited by 61% of respondents, is data leakage. AI agents have access to companies' most sensitive records: customer data, transaction history, internal documents. And 85% of firms expect AI agents to directly facilitate payments in the future, even though existing payment authentication models were designed around a human being present to confirm details.

Troy Leach, CSA's chief strategy officer, said the survey shows an industry "speeding toward autonomous AI-driven operations while also recognizing that visibility, identity governance, and real-time security controls must mature just as quickly."

What this means for operators

An AI worm proved that autonomous attacks work without frontier models. An active exploit proved that AI infrastructure is already being targeted. And a survey proved that even the most security-conscious industry is deploying faster than it can defend.

The agent itself is the least of your problems. The infrastructure around it — the gateway, the proxy, the API credentials, the network path — is where attackers are actually aiming.

If you are running LiteLLM or any AI gateway, treat it like you treat your VPN concentrator. Patch on CISA's schedule, not yours. Inventory the credentials it stores. Restrict network access to trusted segments. The LiteLLM fix is in v1.83.7. If you are running an older version, the patching window closes June 22.

If you are deploying agents with autonomy, ask whether you can answer three questions: How many agents do you have? Who owns each one? What can each one access? If you cannot answer those quickly, the CSA's data says you are already in the 21% who do not know if they have been breached.

The worm did not need Mythos. The exploit did not need a zero-day. The breach did not need a sophisticated attacker. The attack surface is getting wider, and most of it is infrastructure teams have not inventoried yet.