News
XBOW Autonomous AI Pentesting Agent Discovers CVSS 9.8 RCE in Microsoft Cloud — First AI-Credited Critical CVE at Major Vendor
Microsoft's March 2026 Patch Tuesday included CVE-2026-21536, a CVSS 9.8 remote code execution flaw in Microsoft's Devices Pricing Program cloud service, discovered entirely by XBOW — a fully autonomous AI pentesting agent that has ranked at or near the top of HackerOne's bug bounty leaderboard for over a year. This is believed to be the first time an autonomous AI agent is publicly credited with finding a critical CVSS 9.8 vulnerability in a major tech vendor's production system. Microsoft patched server-side with no customer action required; the event marks a capability inflection point for autonomous security agents.
↳ Follow the thread