A flaw hid in software on billions of machines for 25 years — until an AI went looking

Cybersecurity 4 min 41 sources

A bug that sat untouched in curl since 2001 was finally found this month, part of a wave of old flaws surfacing now that AI tools are reading code no human had re-examined in years. Plus a Cisco bug exploited two months before anyone knew, and why scam centres keep surviving every crackdown.

Key takeaways

A flaw that sat in curl — software on billions of devices — for 25 years was finally found this month, mostly because AI tools can now re-read old code no human had checked in years.
The same week, a Cisco networking flaw was being exploited two months before anyone knew it existed, and a Cisco phone flaw was attacked within 24 hours of becoming public.
The riskiest code is rarely the new kind — it's the long-trusted kind that's worked so flawlessly that nobody looks at it anymore.

The most-used piece of internet plumbing you’ve never heard of just patched a hole that had been open for 25 years [1]. The fix matters less than how it was found — and what that says about the code quietly running everything around you.

The 25-year-old flaw

This week, curl — a small open-source tool that moves data across the internet, built into phones, cars, routers, banks, and most of the world’s servers — released its largest-ever batch of fixes: 18 vulnerabilities in one update [1]. One of them, tracked as CVE-2026-8932, was introduced on 22 March 2001 [1]. (A CVE is just an ID number assigned to a specific security flaw, so everyone can refer to the same one.)

The flaw let the software, in some cases, reuse an old connection even after the security keys for it had changed — which could let one party be mistaken for another [1]. It sat in code that ships on billions of devices, for two and a half decades, untouched.

It wasn’t found by a person reading through the code. It was found by an AI. A vulnerability-research firm, Aisle, ran an AI tool across curl and surfaced six new flaws this year, including the oldest bug ever reported in the project [1]. The trigger was earlier: in May, Anthropic’s AI system “Mythos” scanned curl and flagged a single bug — a result experts read two ways, either “the AI is weak” or “this code is genuinely clean” [1].

The honest reading is the second one. Curl is among the most heavily reviewed code on earth. Few bugs survive in it. The ones that do survive precisely because they hide where no human keeps looking — and that is the part worth carrying.

Why old code is suddenly leaking bugs

For years, finding flaws in mature software meant a skilled human reading thousands of lines, line by line, looking for the one wrong assumption. That doesn’t scale. So the most-trusted, longest-running code got the least fresh scrutiny — everyone assumed someone else had already checked it, and the years of flawless operation read as proof it was safe.

AI changes the economics of looking. A tool can now re-read code no person has re-examined in a decade, cheaply, without getting bored on line 40,000. So flaws that were always there — but had aged into invisibility — are surfacing now [1]. This isn’t a wave of new weaknesses. It’s a wave of old ones finally being seen.

That cuts both ways, which is why it’s news and not just good news. The same tools defenders use to find old bugs first, attackers can point at the same code. The race is now about who reads it sooner.

A bug exploited before anyone knew it existed

A separate story this week shows what happens when the attacker reads first. Google reported that a serious flaw in Cisco’s Catalyst SD-WAN networking gear — software many large organisations route their traffic through — was being quietly exploited at least two months before Cisco disclosed it on 4 June [2][3]. (This is a zero-day: a flaw the maker doesn’t yet know about, so there’s no patch, and anyone using it has a clear run until it’s found.)

The flaw, CVE-2026-20245, let an attacker who already had a foothold run commands as the system’s most powerful user [2]. Cisco only learned of it after spotting unexplained configuration changes on customer systems [2]. By then, the clear run had already happened.

A near-twin landed days later: a critical Cisco phone-system flaw was being attacked within 24 hours of researchers publishing proof it could be exploited [4]. Once the map to a wound is public, the gap between knowing and being attacked has shrunk to a day.

The scam economy that survives every raid

Further from the headlines, two reports this month explained why Southeast Asia’s online scam centres keep operating despite high-profile crackdowns [5]. Interpol, the international police body, found online scams now dominate crime across much of the region; operations in Cambodia, Myanmar, Laos and the Philippines pull in an estimated $40 billion a year through romance and investment fraud, much of it staffed by trafficking victims [5].

Raids happen. They mostly don’t stick. Amnesty International, after visiting 75 of 86 confirmed compounds in Cambodia, found evidence that local authorities communicate directly with compound managers [5]. The thing meant to shut the system down is, in places, wired into it. For an ordinary person, the takeaway is unglamorous: these are the operations behind “wrong number” texts and too-good investment pitches, and the money behind them isn’t shrinking.

What to take from it

You can’t patch curl yourself; the update flows to you through your phone, your browser, your devices over the coming weeks — that’s the system working as intended. The lesson sits elsewhere. The riskiest code isn’t the new and shaky kind. It’s the old, trusted kind that’s worked so long nobody looks anymore — and the cheapest place for a problem to hide is wherever everyone has agreed it’s safe.

02 · Lesson · why it matters

The longer a thing works, the fewer eyes are on it

Trust isn't built by checking — it's built by not needing to. So the safest-looking places are the ones nobody is watching anymore.

Twenty-five years of nobody noticing

A flaw lived inside curl since March 2001. Curl is everywhere — phones, cars, banks, most of the world’s servers. It is among the most-read code on the planet. And still, a wrong assumption sat in it, undisturbed, for a quarter of a century.

That’s the strange part. Not that a bug existed — every system has them. That this one survived because the software was so good. The longer curl ran without trouble, the less reason anyone had to re-read the oldest, dullest corners of it. Flawless operation became its own kind of cover.

How trust actually forms

Think about how you come to trust anything — a colleague, a car, a bridge, a piece of software. You don’t check it constantly. You check it at the start, it holds, and slowly you stop checking. That’s not laziness. It’s the whole point of trust: it frees your attention to go elsewhere.

But notice what that means. The amount of scrutiny something gets falls over time — not because it got safer, but because it seemed to. Attention drains away from exactly the things that have earned it. The places we trust most are, almost by definition, the places we look at least.

Where risk goes to hide

Risk doesn’t spread evenly. It pools. And it pools where no one is looking — which, over time, is the same as where everyone has agreed it’s fine.

A brand-new app gets picked apart; people expect it to break. The component that’s run perfectly for fifteen years gets waved through; people expect it to hold. So a problem in the new thing surfaces fast, and a problem in the old thing can hide for a generation. The danger isn’t proportional to how shaky something looks. It’s often the opposite.

This is why the curl flaw matters past curl. The riskiest part of any system is rarely the part that worries you. It’s the part that stopped worrying you a long time ago.

Why it took a machine to see it

For years, no one re-read curl’s oldest code because re-reading it by hand didn’t pay. A human reviewer has limited hours and gets tired around line forty thousand; spending them on code that’s worked since 2001 felt like checking a lock you’ve opened a thousand times. So the trusted code got the least fresh attention, and the rust built up unseen.

An AI doesn’t get bored and doesn’t assume. It re-reads the dull, trusted, ancient corners as carefully as the new ones. That’s why old flaws are surfacing now — not because the code got worse, but because something finally looked at the places human attention had quietly abandoned.

You are inside this, not above it

It’s easy to read this as a story about software and feel safe outside it. You aren’t. The same shape runs through your own life.

The password you set up once and never thought about again. The old account you forgot you opened. The friend’s app you connected to your data years ago and trust by habit. The contractor, the vendor, the auto-renewing subscription — the things that have worked so long they fell below your notice. Your real exposure usually isn’t the new thing you’re nervous about. It’s the old thing you stopped checking, because it never gave you a reason to.

And here’s the humbling part: you can’t see your own blind spots, by definition. The corner you’ve stopped looking at is invisible to you precisely because you stopped. The curl flaw didn’t get found by the people who knew curl best — they were the ones most sure it was clean. It got found by something with no history of trusting it.

So the move isn’t to trust nothing; a life spent re-checking everything is no life. It’s to hold a quieter doubt about the things you’re surest of — to know that “it’s always been fine” is not the same as “it’s fine,” and that the safest-feeling corner of any system, your own included, is the one most worth a second look.

03 · Lab · your turn

Where Do You Look

Spend limited review attention across new and old systems, then see the flaw was hiding in the trusted one you skipped.

04 · Hope · carry this

A flaw that hid for twenty-five years was still found in the end — and the tools that found it get better every month. The dusty corners we stopped checking are finally getting a fresh pair of eyes.