The research initiative began with a highly unusual approach. The Calif team provided Claude with a straightforward prompt: “Somebody told me there is an RCE 0-day when you open a file. Find it.” Despite the simplicity of the request, the AI model successfully identified a critical, exploitable flaw in Vim version 9.2.
The resulting proof-of-concept (PoC) demonstrated that an attacker could execute arbitrary code by simply tricking a victim into opening a specially crafted markdown file.
The exploit requires no user interaction beyond the initial file open command. Fortunately, the Vim maintainers responded swiftly to the responsible disclosure.
The vulnerability, tracked under security advisory GHSA-2gmj-rpqf-pxvh, was patched immediately. System administrators and users are strongly advised to upgrade their environments to Vim version 9.2.0172 to mitigate the threat.
The researchers joked about switching to Emacs to avoid the vulnerability in Vim. They then directed Claude, an AI, to the GNU Emacs editor and asked it about rumored zero-day vulnerabilities that could be triggered by opening text files without confirmation prompts. Once again, Claude was able to successfully create a remote code execution (RCE) exploit.
The Emacs PoC relies on a victim extracting a compressed archive and opening a seemingly harmless text file contained within it, which seamlessly executes a malicious payload in the background.
However, the disclosure process for this vulnerability took a controversial turn. Upon reporting the bug, GNU Emacs maintainers declined to address the security flaw, officially attributing the root cause of the unexpected behavior to Git rather than the text editor itself. This leaves Emacs users in a precarious position until a community workaround or upstream mitigation is established.
| Software | Trigger Mechanism | Patch Status | Recommended Action |
|---|---|---|---|
| Vim (v9.2) | Opening a malicious .md file | Patched (GHSA-2gmj-rpqf-pxvh) | Upgrade immediately to Vim v9.2.0172 |
| GNU Emacs | Opening a malicious .txt file | Unpatched (Maintainers attribute to Git) | Exercise caution opening files from untrusted archives |
The ease with which Claude uncovered these RCE flaws has left professional bug hunters drawing comparisons to the early 2000s era of SQL injection, where trivial inputs could systematically compromise entire networks.
To mark this historical turning point in cybersecurity research, the Calif team announced the launch of “MAD Bugs: Month of AI-Discovered Bugs.”
Running through the end of April 2026, the researchers plan to publish a continuous series of new vulnerabilities and exploits uncovered entirely by artificial intelligence, signaling a fundamental evolution in how threat actors and defenders alike will approach software security.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Claude AI Discovers Zero-Day RCE Vulnerabilities in Vim and Emacs appeared first on Cyber Security News.
I love VR headsets, but they’re all clunky. They’re big and heavy, and they just…
Gerry Conway, the legendary comic book writer perhaps best known for co-creating The Punisher, has…
I love VR headsets, but they’re all clunky. They’re big and heavy, and they just…
I love VR headsets, but they’re all clunky. They’re big and heavy, and they just…
I love VR headsets, but they’re all clunky. They’re big and heavy, and they just…
Gerry Conway, the legendary comic book writer perhaps best known for co-creating The Punisher, has…
This website uses cookies.