Chinese AI real security risk? Plus: Vibe hunting, the end of CVSS and updates on Lightwell

Reddit r/ArtificialInteligence News

Summary

This article covers a security podcast discussion on the risks of open-weight AI models like GLM 5.2, which attackers can modify and exploit, and introduces CISA's new BOD 26-04 directive that replaces the CVSS scoring system with a four-variable dynamic prioritization model for federal agencies.

No content available
Original Article
View Cached Full Text

Cached at: 07/15/26, 01:57 PM

## TL;DR The open-weight model GLM 5.2 has reached mythical-level capabilities in some domains, and attackers have already obtained these unlocked models, tilting the security landscape. Meanwhile, CISA has introduced BOD 26-04, replacing CVSS scoring with a four-variable model that requires federal agencies to dynamically determine patch timelines based on exposure, exploitation, automation, and impact. ## Open-Weight Model GLM 5.2 and Security Threats ### Event Background: A Substack Article That Sparked Debate On the latest episode of the *Security Intelligence* podcast, host Max Sinsky and three experts—Claire Nunez (Creative Director, IBM X-Force Cyber Range), Dustin "Evil Mog" Haywood (X-Force Executive Managing Hacker & Senior Technician), and Ian Malloy (Director of Security Research)—first focused on GLM 5.2. This open-weight model, released by Chinese company ZAI, was described by Meta machine learning and cybersecurity researcher Joshua Sacks in a Substack article titled "GLM 5.2, not a myth, is the real security emergency" as possessing "mythical-level capabilities." Sacks pointed out that while the industry is locking down frontier models, restricting access, and applying guardrails, attackers can obtain these unlocked open models. He wrote: "The problem isn't about putting the AI genie back in the bottle, but about ensuring the genie populates defender networks, consolidating our position before the cyber attack world has its own minion-code automation moment." ### Debate on Model Capabilities and Access Barriers **Dustin** (Evil Mog) responded first: "This was inevitable. The GLM 5.2 model requires eight H100s—a significant compute requirement. But through quantization, you can shrink it. You can fit them into small systems like the DGX Spark with only 128GB of memory. So capabilities are spreading. GLM 5.2 itself isn't that scary from a cybersecurity perspective, but what's scary are the corrupted models, extracted models, and models with modified weights—if you disable its refusal mechanism, it becomes much more evil." **Ian** noted that his team has successfully found vulnerabilities using much smaller models, with creative prompting being the key. "A mythical model is a game-changer, but not an absolute necessity." He added that hardware vendors would be the biggest beneficiaries: "If you can burn more tokens, that benefits model providers and hardware providers. But what's truly scary is when you can achieve the same level of compute to create those vulnerabilities with a much smaller model—when we can refine it, or better prompt the model, or remove some guardrails, or isolate that attack capability, things become truly terrifying." **Dustin** mentioned: "Models like Qwen, Qwethos, and other scary ones are emerging. It feels like something new comes out every other day, and it can still fit into something as small as an MSA 2." ### Limitations of Safeguards **Claire** quoted from another article: "'We have mythology at home'—that's interesting. Mythology is basically like a locked box, but if attackers believe it exists, someone will find a way to replicate it. It's a bit like the AI space race—someone will figure it out, whether we let defenders have it or attackers have it." **Dustin** countered sharply: "I take issue with a few statements. Saying 'whether we let or not,' 'defenders get it,' 'attackers get it'—they already have it. It's already out there; you can't put this genie back in the bottle. Either you annoy people like me with controls, or I start using all the other systems. The Opus 4.8 I was using worked perfectly for cybersecurity use cases for a long time, until 24 hours ago, when it suddenly blocked even mentioning a fuzzer. People will start circumventing this, and soon the only option will be open-weight models. I think the opportunity to control the situation was lost the moment we declared these as export-controlled weapons and the US began stopping true frontier models from being exported." The host summarized: "Safeguards are great, but they're for the good guys. Not for the bad guys. The bad guys are bad because they don't follow safeguards in the first place." ### Implications for Defenders **Ian** proposed: "Defenders can also use the same models attackers use. They can download GLM and run it. Attackers have access to mythology, Glasswing, etc., through Mythos Preview, Daybreak, and the latest GPT models. The question now is: Is there some hypothetical model so dangerous that we actually wouldn't want to release it? Does such a thing really exist? Or will it always be 'No, we can always release more powerful models; it's just something we have to get used to'?" **Claire** shared from client feedback that many are very panicked. "The general reminder is to use AI to fight AI; you can no longer rely solely on old-school tactics." **Dustin** concluded: "Three months ago, we already had equivalents. I think one day there will be an AI model we can never release, but I think we'll never be able to stop it. Whether we like it or not, it will emerge—as we've already proven. So, like it or not, we're all on the same ride." ## CISA BOD 26-04: Replacing CVSS with a Four-Variable Model ### Core Content of the New Directive The host introduced the second story: Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued BOD 26-04. This new directive introduces a four-variable model for prioritizing vulnerabilities, adopting a more dynamic remediation timeline: 1. **Public Exposure**: Can the vulnerability be exploited from outside the agency's network? 2. **Real-World Exploitation**: Is the vulnerability being actively exploited? 3. **Exploitation Automation**: Can the exploitation be automated? 4. **Impact Scope**: Does exploitation give full control of the affected system? Based on the answers to these questions, remediation timelines vary: the most critical vulnerabilities must be patched within 3 days, while the least critical can wait until system upgrades. ### Initial Panel Views **Claire** said: "The clients I usually work with don't really think about how vulnerabilities are classified. If this helps organizations patch faster and prevent large-scale crises, then executive audiences will be more satisfied with it. This is something federal agencies are required to adopt; other organizations may consider following later. If it helps organizations patch faster, that's a good thing." The host added that this is a directive specifically for federal agencies, but private organizations may choose to voluntarily reference it. **Dustin** was more cautious: "I'll keep an open mind about these changes. Don't get me wrong, I'm just a bit skeptical. Because people won't go back and update things like impact, environment, etc. It was never used for its intended purpose. Then the NVD (National Vulnerability Database) enrichment..." (Transcript truncated here; discussion incomplete.) Source: YouTube video link (https://youtu.be/qXGJ7pi-XOo?si=s_WKtYH9YiqIzeN4)

Similar Articles

GLM-5.2 fearmongering in the press

Reddit r/LocalLLaMA

An article discussing the fearmongering in the press about the open-source AI model GLM-5.2, which can be run on any hardware and is proficient at cybersecurity tasks, raising concerns about potential abuse and censorship.

@apivixtls: After reading this article, what I really noticed is not which model is more powerful. The author ran a series of actual security research tests using AI. Semgrep found nothing directly. Strix connected to GLM 5.1 ran for 12 hours, spent nearly 60 million tokens, and still didn't catch the key vulnerability. Cursor with GPT 5.5…

X AI KOLs Timeline

A security researcher tested four AI approaches (Semgrep, GLM 5.1+Strix, Cursor+GPT 5.5, local AI with custom harness) to find a known LFI vulnerability in PHPIPAM. Only the local AI harness consistently succeeded, demonstrating that the harness methodology matters more than the model, and highlighting advantages of local AI for cost, privacy, and flexibility in security research.

Working with US CAISI and UK AISI to build more secure AI systems

OpenAI Blog

OpenAI announces collaborative security improvements with US CAISI and UK AISI, highlighting joint red-teaming efforts that discovered and helped remediate novel vulnerabilities in ChatGPT Agent systems through multidisciplinary cybersecurity and AI agent security approaches.