Back to Intelligence

Project Glasswing: Anthropic AI Uncovers Thousands of Unpatched Vulnerabilities in AWS, Apple, and Cisco

SA
Security Arsenal Team
April 8, 2026
5 min read

Introduction

In a significant development for the defensive security community, Anthropic has launched Project Glasswing, utilizing its new frontier model, Claude Mythos, to identify critical security gaps. This initiative has already yielded alarming results: the discovery of thousands of previously unpatched vulnerabilities affecting major technology providers, including Amazon Web Services (AWS), Apple, Broadcom, Cisco, and CrowdStrike.

For defenders, this announcement is a precursor to a potential flood of high-severity patching events. The integration of AI into vulnerability research signals a shift in speed and scale; flaws that might have lain dormant for years are being identified en masse. Security teams must immediately heighten their vulnerability management posture for these specific vendors and prepare for rapid remediation cycles as disclosures are released.

Technical Analysis

Affected Ecosystem

Project Glasswing targets critical infrastructure and widely deployed enterprise platforms. The confirmed affected entities include:

  • Cloud Providers: Amazon Web Services (AWS)
  • Hardware & Networking: Cisco, Broadcom
  • Endpoint/OS: Apple
  • Security Platforms: CrowdStrike

Vulnerability Profile

While specific CVE identifiers were not disclosed in the initial announcement, the description of "thousands of unpatched vulnerability flaws" suggests a mix of severity levels, likely ranging from information disclosure to remote code execution (RCE). The involvement of Claude Mythos, a frontier AI model, implies that these vulnerabilities were likely discovered through deep code analysis and automated reasoning techniques capable of identifying complex logical flaws that traditional static analysis (SAST) might miss.

Exploitation Status

  • Current Status: Unpatched / Vendor Disclosure Pending.
  • Risk: Critical. Because these flaws exist in unpatched systems across major vendors, the window of exposure is open until specific advisories and patches are released. Given the profile of the vendors (e.g., networking gear from Cisco, cloud infrastructure from AWS), successful exploitation could lead to supply-chain compromises or lateral movement within enterprise environments.

Executive Takeaways

Since this announcement represents a vulnerability discovery initiative rather than a specific active exploit campaign (e.g., a specific ransomware strain), defenders should focus on organizational readiness.

  1. Establish Vendor Advisory Watchlists: Immediately configure your vulnerability management platform (e.g., Tenable, Qualys, Rapid7) and SIEM to ingest and prioritize alerts specifically for AWS, Apple, Broadcom, Cisco, and CrowdStrike.
  2. Prepare for Emergency Change Windows: The volume of "thousands" of flaws suggests mass patching events will be required. Update your change management advisory boards (CAB) now to approve pre-staged emergency maintenance windows for these critical vendors.
  3. Inventory High-Value Assets: Identify "Crown Jewel" assets relying on the affected vendors. A Cisco IOS XE vulnerability is more critical on your core perimeter router than on a switch in an isolated lab.
  4. Review Segmentation and Zero Trust: Assume some of these "unpatched" flaws may be RCEs. Verify that network segmentation and Zero Trust controls are functioning correctly to limit blast radius if an exploit appears before a patch is available.

Remediation

As specific CVEs are released through Project Glasswing partners, follow the standard lifecycle below. In the interim, enforce strict configuration hygiene.

Immediate Actions

  1. Audit Affected Systems: Use the provided scripts below to audit your environment for the presence of affected vendor software.
  2. Subscribe to Vendor Security Mailing Lists:

Patching Strategy

  • Priority 1: Focus on internet-facing assets (External FW, VPNs, Cloud instances).
  • Priority 2: Internal core infrastructure and Active Directory controllers running affected software.

Verification Scripts

These scripts help identify instances of the affected vendors. Use this data to feed your CMDB for rapid targeting when advisories drop.

Windows Audit Script (PowerShell)

This script checks for the presence of common Cisco and CrowdStrike agents/services.

PowerShell
# Audit for Project Glasswing Vendors (Windows)
Write-Host "[*] Scanning for Project Glasswing affected vendors..." -ForegroundColor Cyan

$affectedVendors = @("Cisco", "CrowdStrike", "Broadcom", "Apple")
$foundSoftware = @()

# Check installed software registry for matching patterns
$regPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path | Where-Object { 
            $_.DisplayName -and ($affectedVendors | Where-Object { $_.DisplayName -like "*$($_)*" })
        } | ForEach-Object {
            $foundSoftware += [PSCustomObject]@{
                Vendor = "Unknown"
                Name = $_.DisplayName
                Version = $_.DisplayVersion
                Source = "Registry"
            }
        }
    }
}

# Check for CrowdStrike Services specifically
$csService = Get-Service -Name "CSFalconService*" -ErrorAction SilentlyContinue
if ($csService) {
    Write-Host "[+] CrowdStrike Falcon Service Detected: " $csService.Name -ForegroundColor Green
}

# Check for Cisco AnyConnect
$ciscoProcess = Get-Process -Name "vpnui" -ErrorAction SilentlyContinue
if ($ciscoProcess) {
    Write-Host "[+] Cisco AnyConnect VPN Process Detected" -ForegroundColor Green
}

if ($foundSoftware) {
    $foundSoftware | Format-Table -AutoSize
} else {
    Write-Host "[-] No standard installed software found for these vendors in registry." -ForegroundColor Yellow
}

Linux Audit Script (Bash)

This script checks for common AWS, Cisco, or Broadcom packages on Linux endpoints.

Bash / Shell
#!/bin/bash

echo "[*] Scanning for Project Glasswing affected vendors (Linux)..."

# Check for AWS Tools/CLI
if command -v aws &> /dev/null; then
    echo "[+] AWS CLI Found:"
    aws --version
fi

# Check for common Cisco or Broadcom kernel modules or packages
echo "[*] Checking for Cisco/Broadcom packages..."
dpkg -l | grep -iE "cisco|broadcom" && echo "[+] Found related packages" || echo "[-] No packages found via dpkg"
rpm -qa | grep -iE "cisco|broadcom" && echo "[+] Found related packages" || echo "[-] No packages found via rpm"

# Check for CrowdStrike Falcon Sensor
if [ -f /opt/CrowdStrike/falconctl ]; then
    echo "[+] CrowdStrike Falcon Sensor detected."
    /opt/CrowdStrike/falconctl --version 2>/dev/null || cat /opt/CrowdStrike/falconctl 2>/dev/null | head -n 5
fi

echo "[*] Scan complete."

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocproject-glasswingclaude-mythosanthropicvulnerability-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action