VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Security researchers have introduced VEXAIoT, an AI-powered multi-agent framework designed to automate vulnerability discovery and exploit execution against Internet of Things environments.

The research shows how large language model agents can coordinate reconnaissance, attack planning, command generation, and result validation in isolated security testbeds.

VEXAIoT, short for Vulnerability EXploitation using AI Agents, uses two separate but connected agents. The first is a vulnerability detection agent that scans a target device, identifies exposed services, and looks for known vulnerabilities.

The second is an attack execution agent that selects suitable tools, generates commands, and attempts the planned exploit. The detection agent begins by using Nmap to identify open ports, services, and active network protocols.

It then uses data from Searchsploit and the Exploit Database to match discovered software and versions to known CVEs and publicly available proof-of-concept exploits.

The AI model analyzes this information and creates an ordered attack plan based on vulnerability severity, available tools, and dependencies between attacks.

VEXAIoT Automates IoT Reconnaissance

For example, some attacks require valid credentials to be executed. In these cases, VEXAIoT first attempts credential recovery or network traffic interception before launching dependent actions.

The framework can also retry an attack when generated commands fail, using error messages and execution output to adjust its next attempt.

Researchers tested the system against IoTGoat, an intentionally vulnerable OpenWrt-based IoT firmware environment, and the Metasploitable2 vulnerable machine.

Attack Workflow (Source: Arxiv)

The IoTGoat tests covered ten scenarios mapped to OWASP IoT security risks, including weak passwords, insecure network services, exposed developer backdoors, insecure updates, DNS denial-of-service, plaintext sensitive data, man-in-the-middle interception, remote code execution, and log deletion.

Across 200 IoTGoat attack attempts, VEXAIoT completed 189, achieving a 94.5 percent success rate.

Seven scenarios achieved a 100 percent success rate, including cross-site scripting, developer-backdoor access, malicious update execution, database PII extraction, log erasure, and remote code execution.

The weakest results were observed in the MiniUPnP backdoor and DNS denial-of-service tests, where command syntax issues and model refusals reduced success rates to 80 percent.

According to arXiv, the framework successfully exploited the VSFTPD backdoor and exposed database credentials in all 60 Metasploitable2 tests, while achieving remote code execution in 18 of 20 attempts.

Combined, the system achieved a 95 percent success rate across 260 executions. Most attacks completed in under two minutes, although password cracking took longer.

The researchers found that parallelizing independent attacks reduced total test time from about eight minutes and 31 seconds to approximately three minutes and 50 seconds.

However, token consumption remained largely unchanged because each attack still required a separate AI-agent interaction.

The study highlights the growing potential of agentic AI for authorized IoTpenetration testing and vulnerability validation.

However, the authors warned that autonomous exploit execution still faces important challenges, including hallucinated outputs, invalid commands, model refusals, and the need for stronger human oversight and safety controls.

The framework was evaluated only in controlled, intentionally vulnerable environments and should not be used against systems without explicit authorization.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.