During January’s Patch Tuesday, Microsoft acknowledged Unpatched.ai for identifying multiple high-severity vulnerabilities, but the AI-powered bug finding tool remains shrouded in mystery within the cybersecurity community.
Microsoft’s latest round of patches addressed 159 new vulnerabilities across a range of its widely utilized products. Among these vulnerabilities, Microsoft credited Unpatched.ai for uncovering and reporting three critical remote code execution vulnerabilities labeled as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395. All three vulnerabilities impacted Microsoft Access, the company’s database management system, and were assessed with a CVSS score of 7.8.
Despite the recognition from Microsoft, there is a significant lack of information available about Unpatched.ai, the AI-driven analysis, and vulnerability reporting tool. Information security vendors and experts reached out by Informa TechTarget have encountered difficulties in uncovering more details about this tool, leading to more questions than answers.
The Unpatched.ai website touts itself as a "vulnerability discovery by an AI-guided cybersecurity platform." However, the list of reported bugs on the site is exclusively centered around Microsoft vulnerabilities, particularly those affecting Microsoft Access. The contact page indicates that Unpatched.ai collaborates with "select enterprise, government, and security vendors based in the U.S. and allied countries."
Regarding its methodology, Unpatched.ai attributes its research to silent patching, mentioning, "We find unpatched issues in software to help customers better identify and manage cyber risk. Many issues are unknown or silently fixed by software vendors, hiding the true risk profile of their products. With the help of AI, we are developing an automated platform to help find and analyze these issues for our customers."
Additionally, Unpatched.ai maintained an X account, but its recent posts have been deleted. A notable post from Jan. 29 alerted users that the Microsoft patch for CVE-2025-21396 was inadequate. When contacted by Informa TechTarget, a Microsoft spokesperson acknowledged the reports and assured taking necessary action to protect customers.
Despite the acknowledgement from Microsoft, the tech giant did not respond to requests for further context on Unpatched.ai. Similarly, Unpatched.ai remained silent on requests for comments from Informa TechTarget.
Further investigation into Unpatched.ai revealed limited results. The domain was registered through Namecheap in September, but additional details about the owner remain shielded by a domain privacy service located in Reykjavik, Iceland. While there is little information beyond what Unpatched.ai provides on its website, a Reddit user named "Fit_Tie_9430" claimed to be affiliated with the platform, sharing insights on vulnerabilities related to Microsoft Access.
Experts like Adam Barnett from Rapid7 and Satnam Narang from Tenable noted the scarcity of information about Unpatched.ai as a service or platform. Barnett highlighted the platform’s automated vulnerability discovery and analysis processes, while Narang expressed uncertainty over the platform’s future openness regarding its leadership and team.
Alon Yamin, CEO of Copyleaks, acknowledged the emergence of AI-driven vulnerability reporting platforms as integral in addressing the surge in vulnerabilities. However, he emphasized the importance of deploying such tools responsibly and ethically to prevent misuse by malicious actors.
The development of AI-driven vulnerability discovery is a growing trend in the cybersecurity industry, with few breakthroughs publicly announced. In a similar vein, Google touted its AI-powered agent, Big Sleep, developed by Google Project Zero and Google DeepMind, for uncovering a zero-day vulnerability in the SQLite open source database engine.
As the cybersecurity landscape continues to evolve, the role of AI in vulnerability discovery is poised to play a crucial part in enhancing cyber defense capabilities. The emergence of platforms like Unpatched.ai underscores the need for transparency, responsibility, and ethical deployment of AI technologies in cybersecurity practices to ensure a secure digital environment for all users.
Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.