Epoch AI Data Shows Spike in Critical CVEs

Key Takeaways

21 organizations disclosed a significant number of high- and critical-severity CVEs in June, per Epoch AI’s tracking.
– That total is more than the previous monthly record, set before Anthropic announced Claude Mythos Preview.
Project Glasswing partners used Mythos to find bugs before public disclosure.
– Epoch AI says frontier AI models now match a high level of capability in vulnerability discovery.

Epoch AI tracked a significant number of high- and critical-severity CVEs in June, a notable jump over any previous month. And the cause is Claude Mythos. Anthropic’s internal model can autonomously discover and exploit software vulnerabilities. It has been doing exactly that through Project Glasswing, a coordinated disclosure effort with major industry partners.

The result is a wave of newly disclosed bugs that every small business shipping software needs to understand. Because the patching backlog is growing faster than anyone can clear it.

What Did Epoch AI Actually Find?

Epoch AI’s CVE severity tracker shows that 21 notable organizations published a significant number of high- and critical-severity CVEs in June.

That number represents a notable increase over the previous monthly record before Claude Mythos Preview’s release. Epoch AI explicitly called it a “large jump” and tied the spike directly to Anthropic’s announcements.

What makes this different from normal CVE growth is timing.

Project Glasswing partners had already been running Mythos against their own codebases to find and fix bugs ahead of any broader public release. The flood of disclosures in June represents months of accumulated discoveries from major industry players using a model that Epoch AI compares to a high-level security researcher. This is not gradual growth in vulnerability reporting. It is a structural break. And one model trained by one company produced enough legitimate security findings to shatter every existing baseline for monthly CVE disclosures.

How Strong Is Claude Mythos Compared to Older Models?

Epoch AI’s analysis is blunt about this. Frontier AI models including Mythos are now comparable to a high level of capability in vulnerability discovery, with Mythos particularly strong at assessing severity and reducing false positives. The bugs it finds are real, and they are serious.

The improvement over previous models is specific and quantified. Epoch AI states that the advancements made by Mythos represent a significant leap in exploit development.

It was a generational leap that caught the security community off guard.

But what should concern anyone shipping software is that prior models were already “very good” at finding vulnerabilities, according to the same Epoch AI analysis. Mythos just made the jump visible given that it crossed a threshold where findings could not be absorbed quietly.

When the next model makes a similar leap. And it will, the same dynamic plays out again at higher volume and higher speed.

What Should Small Operators Do Right Now?

If you run a small business or ship code as a solo developer, the spike in critical CVEs changes your threat model whether you realize it or not.

Major industry partners used Mythos to find bugs through proper channels. Those CVEs are public now. The patches are rolling out at human speed. And the exploitation window between disclosure and fix deployment is where attackers operate.

My agency tracks dependency vulnerabilities on every client project. And since June the volume of high-severity findings in routine scans has jumped noticeably. We are not special in this regard.

Anyone running automated dependency scanning is seeing the same pattern.

The practical steps are not complicated, but they require consistency.

Run dependency scans daily instead of weekly, as at a significant number of new critical CVEs per month a weekly cadence is too slow to catch real threats. Prioritize patching anything tagged high or critical from June onward, since those are the most likely to have been discovered through recent advancements. Subscribe to advisories from the specific vendors in the Project Glasswing partner list, since their disclosure pipelines are the ones firing fastest right now. You do not need a security team to handle this. You need a patching routine that assumes the vulnerability count will keep climbing.

Is This the Spike Before the Flood?

Epoch AI’s data does not project forward explicitly, but the pattern tells its own story. Anthropic released Mythos Preview to a small set of trusted partners and generated a significant spike in a single month. The same capability will eventually reach open-source models with fewer guardrails. When it does, the discovery rate will not slow down.

The upside is that more bugs found and patched means more secure software over time.

That is genuinely good news. The downside is the transition period we are living through right now, where AI can discover vulnerabilities in minutes but humans need sprint cycles to patch them. That asymmetry is the real story behind Epoch AI’s significant number. And it is going to get worse before it gets better.

If you are running a lean operation, tighten your patching cadence this week. The recent CVEs are the floor, not the ceiling.

Read Epoch AI’s full analysis

Sources

Epoch AI: CVE Severity Spike
Epoch AI: Cyber Vulnerabilities Explorer
Epoch AI on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *