Zenity Labs Reveals AI Infrastructure Weaponization

According to Zenity Labs' research (press release distributed via Business Wire and republished by MartechSeries, Yahoo Finance, and Morningstar), its global sensors recorded thousands of attack attempts against enterprise AI infrastructure. The report states sensors observed hundreds of exploitation attempts targeting CVE-2026-40217, a critical remote-code-execution vulnerability in LiteLLM, beginning the same day the CVE was patched and continuing with further attempts over the following six weeks. The findings also attributed activity to additional LiteLLM vulnerabilities, including an SSRF-based data-exfiltration variant linked to CVE-2024-6587 and a coordinated campaign referencing CVE-2026-35029, the press release says.

Zenity's report gives concrete abuse examples, per the distributed release: operators allegedly deployed Strix, an autonomous pentesting/agent tool, and attempted to direct it at a production e-commerce site; threat actors reportedly routed multi-agent enterprise workflows through exposed infrastructure; some actors attempted to use exposed AI endpoints as free compute (the report likens this to cryptomining); and one incident allegedly exposed an entire development environment and git history via OpenAI's Codex, the release notes.

These reported patterns echo broader agent-era threats documented elsewhere. Public coverage of agent-related incidents (for example, an AIMultiple roundup of 20 agent incidents) shows recurring classes of failure: unprotected agent runtimes, credential leakage, and systemic traps where agents gain capabilities outside intended scopes. Treating gateways like API front-ends with strict input/output controls, sandboxing, and provenance checks aligns with common mitigations discussed in industry literature.

Instrumentation that detects rapid exploit bursts is critical because Zenity's timeline (hundreds of attempts the same day a patch was released) illustrates how quickly adversaries scan for and weaponize published CVEs. Where possible, separate compute and data planes for untrusted workloads, enforce least-privilege network egress rules, and monitor for anomalous long-running or high-CPU jobs on model-serving infrastructure; the press release's cryptomining-like observations underline abuse of compute resources.

Industry observers will watch remediation telemetry for LiteLLM deployments and any vendor advisories tied to the CVEs Zenity enumerated. Reporting channels and vulnerability feeds should be monitored for follow-up disclosures tied to CVE-2026-40217, CVE-2026-35029, and SSRF variants of CVE-2024-6587, as these are named in Zenity's release. Also track disclosures describing autonomous-agent tooling (for example, Strix) being repurposed, since toolchains designed for red-team automation are showing up in reported abuse.

Editorial analysis: While the Zenity release is vendor-originated research (distributed as a press release), the patterns it describes-fast exploitation after patching, compute abuse, multi-agent routing through exposed endpoints, and accidental developer-artifact exposure-are consistent with other documented agent-era incidents and CVE-driven opportunistic scanning. That alignment increases confidence that the behaviors reported are part of a broader operational trend rather than isolated anomalies.

The report underscores a simple operational point for AI production: model-serving components must be covered by the same security lifecycle as any internet-facing service-vulnerability management, least privilege, telemetry, and segmentation. Observers should correlate Zenity's telemetry reports with their own logs to prioritize patching and hardening where LiteLLM or similar gateways are in use.