An assessment of whether frontier-model vulnerability discovery — the kind demonstrated by Anthropic's Mythos preview against Firefox — can be directed at the software that runs the world's IP, optical, and routing infrastructure, and what an organization holding that capability could actually reach.
The technical claim is now an existence proof, not a hypothesis. Mozilla's Firefox case demonstrates the discovery rate against a hardened, fuzzed, public-target codebase. Salt Typhoon demonstrates that pre-AI-era attackers already converted router-software CVEs into traffic redirection, configuration theft, lawful-intercept exposure, and selective content access against US tier-1 telecoms. Mythos collapses the cost of finding the vulnerabilities Salt Typhoon needed to buy, steal, or stockpile. The encryption story does not save the defender wholesale, because the controls are designed to terminate at the device an attacker is now inside; what survives compromise depends on which encryption layer the carrier or device terminates and which sits above it.
Anthropic's announcement of Project Glasswing on 7 April 2026 made the capability legible. Mythos Preview — an unreleased frontier model held inside Anthropic and shared with a small set of partners — was reported to have surfaced thousands of zero-day vulnerabilities, many critical, including in every major operating system and web browser. The examples Anthropic chose to disclose are the relevant ones for sizing the threat: a 27-year-old remote-crash vulnerability in OpenBSD, a 16-year-old bug in FFmpeg sitting on a code path that automated tooling had hit five million times without catching, and a chained Linux kernel privilege escalation that the model assembled autonomously.
Mozilla's post-mortem on 7 May 2026 put numbers on it. Firefox 150 shipped with 271 security bugs attributed to the Mythos-driven harness — 180 sec-high, 80 sec-moderate, 11 sec-low — against a 2025 monthly baseline of 20–30 fixes total. Mozilla's overall April release total was 423 fixes; the difference is accounted for by other internal pipelines and external researchers under their normal rollup-CVE accounting. Among the disclosed Mythos finds: a 15-year-old bug in the <legend> element triggered by orchestration across recursion limits, expando properties, and cycle collection; a 20-year-old XSLT use-after-free; a sandbox escape exploiting a refcount race in IndexedDB; a parent-process fake-object primitive built from a raw NaN crossing an IPC boundary. Mozilla's own caveat is worth keeping in view: a "high severity" classification typically reflects predictable crash symptoms in their threat model — use-after-free, OOB memory issues caught by AddressSanitizer — not a fully-developed standalone exploit. Many of the bugs require chaining or specific preconditions to reach practical compromise. Several still survived the kind of fuzzing Mozilla and external researchers had been running for over a decade.
Two qualitative shifts matter more than the headline numbers. First, the harness is doing more than reading code. Mozilla's team describes it as "agentic" — the model dynamically tests hypotheses, builds reproduction cases, and dismisses its own false positives. The historical defender complaint about LLM bug reports (slop dressed up as findings) has flipped: when the harness submits, it usually submits a working repro. Second, the codebases under audit have been hardened against decades of human and fuzzing pressure already. The bugs Mythos finds are the ones in the residue — bugs that require coordinated reasoning across distant parts of a system, the exact thing fuzzers are bad at and humans cannot scale.
UK AISI's independent evaluation of Mythos Preview, published alongside the Glasswing announcement, characterizes it as a step-change in autonomous cyber capability while emphasizing that test ranges are controlled environments rather than fully-defended enterprise networks. The reproducibility gap from "finds bugs in benchmark" to "finds bugs in production deployment" is real, but smaller than at any prior model generation.
Carrier and hyperscaler network gear runs on software with a particular profile: large C and C++ control planes accreted over fifteen to thirty years, hundreds of protocols implemented in-tree, an enormous attack surface composed of management interfaces (HTTPS API, SSH, NETCONF, gRPC, SNMP) plus the protocol stacks themselves (BGP, IS-IS, OSPF, LDP, RSVP-TE, BFD, PCEP, SR-MPLS controllers, SDN south-bound channels). Vendor codebases tend to predate the modern memory-safety era. Updates ship slowly because operators cannot reboot a Tier-1 LSR on a Patch Tuesday cadence. Public scrutiny is uneven: some platforms get security research attention, others sit in deployments that academic and bug-bounty researchers cannot touch.
The recent CVE drumbeat against Cisco IOS XE — the most-scrutinized carrier OS — gives a sense of what humans find when they look hard. Preconditions matter; severity headlines without them mislead:
| CVE | Class & preconditions | Date |
|---|---|---|
| CVE‑2025‑20188 | CRIT 10.0 Hard-coded JWT in IOS XE Wireless Controller enables unauthenticated arbitrary file upload → root command execution.Precondition: Out-of-Band AP Image Download feature enabled (not on by default). | May 2025 |
| CVE‑2025‑20352 | HIGH SNMP-based DoS or RCE on IOS / IOS XE.Preconditions: valid SNMP credentials (community string or v3 user). RCE additionally requires privilege-15 admin credentials. | Sep 2025 |
| CVE‑2025‑20363 | CRIT Web services RCE across ASA / FTD / IOS / IOS XE / IOS XR — single bug class spanning the portfolio.Preconditions: unauthenticated for ASA/FTD; authenticated low-privilege required for IOS family. | Sep 2025 |
| CVE‑2026‑20104 | MED Bootloader code execution / secure-boot bypass on Catalyst switches.Preconditions: physical access OR authenticated local privilege-15. Cisco rates impact high; NVD CVSS is medium. | Mar 2026 |
| CVE‑2025‑20160 | HIGH TACACS+ authentication bypass / data exposure.Preconditions: MITM position on TACACS+ flows AND TACACS+ configured without a shared secret. | Oct 2025 |
| CVE‑2025‑20334 | HIGH 8.8 IOS XE HTTP API command injection → root.Preconditions: admin privileges OR a logged-in admin coerced to follow a crafted link, plus HTTP server enabled. | 2025 |
This is what the human hunters and existing fuzzing pipelines surface in a single product line over twelve months, with caveats. None of these are universally exploitable; most require at least one of credentials, configuration state, or a particular feature being enabled. That nuance does not make them less concerning — it constrains the operational use case but does not eliminate it. Other vendors show the same shape on different timetables. Nokia SR OS shipped CVE-2023-6729 (low-privilege user with access console reads or replaces the entire flash filesystem via SCP) and a BGP path-attribute mishandling issue. Ciena's Blue Planet orchestration suite carried CVE-2024-2005, a SAML-related privilege escalation across products through version 22.12. Optical-domain vendors generally see less third-party security research than IP routing vendors, which means the latent bug stock is plausibly higher per million lines of code, not lower.
The Mozilla case is informative as a Bayesian prior. If a hardened, public, continuously-fuzzed C++ codebase yields hundreds of latent vulnerabilities to a Mythos-class harness in weeks, the prior on a less-scrutinized embedded systems codebase yielding similar density is high. The observable CVE rate from human researchers is a floor on the actual bug stock, not a ceiling.
A common defender intuition is that proprietary RTOS-style platforms (IOS XE's Linux/IOSd hybrid, SR OS's TiMOS, JunOS BSD lineage, Ciena's SAOS) are too obscure for general-purpose models to reason about productively. This was true of GPT-4-era code analysis. It is much less true now: agentic harnesses can be steered with vendor SDK headers, public protocol RFCs, and disassembled binary surfaces, and the bugs the Firefox harness found involved equally specialized subsystems (XSLT, RLBox, the JIT). What matters is the model's ability to reason about state across distant code regions, not its prior training on a specific platform.
Salt Typhoon does not prove the Mythos thesis directly. It proves the operational half: once telecom routing and control infrastructure is compromised, adversaries can convert that access into metadata collection, traffic redirection, configuration theft, and lawful-intercept exposure. Mythos changes the vulnerability-supply side of the same equation. The two facts are independent. Together they sketch the threat surface.
The public record, drawn from CISA, FBI, and major incident-response firm reporting, describes the following: Salt Typhoon (also tracked under aliases including GhostEmperor, FamousSparrow, Earth Estries, and UNC2286/RedMike — alias mapping in Chinese APT reporting is imperfect, and these names reflect common public clustering rather than forensically identical operations) — a Chinese state-sponsored intrusion set tracked since at least 2022 — gained persistent access to networks at multiple major telecommunications providers. Public reporting from threat-intelligence firms places the global affected population at up to ~80 organizations; US government statements to date have confirmed at least eight US telecom and infrastructure firms by name, including AT&T, Verizon, and Lumen Technologies. The intrusion vector in publicly disclosed cases was a combination of stolen administrative credentials and exploitation of Cisco IOS XE vulnerabilities — including, in at least one case, a seven-year-old known CVE that the operator had not patched. From inside compromised routers, the actors implanted code, configured GRE tunnels to redirect and copy traffic out of the carrier backbone, and pivoted into the lawful-intercept subsystems that US carriers maintain to comply with CALEA wiretap orders.
Router compromise does not have to break the crypto, just rewrite the policy around it.
The intelligence yield was substantial. FBI estimates put metadata exposure (call records, location, contact graphs) at "potentially millions" of Americans, with full content interception on a smaller set including senior US government officials and 2024 presidential campaign figures. The lawful-intercept capture is the more strategically interesting half: by sitting on the mediation device that aggregates court-ordered wiretaps before handoff to law enforcement, the operator inverted the system, learning which Chinese intelligence assets US counterintelligence was monitoring. A subsequent FOIA-released DHS report indicated 1,400+ stolen configuration files from 70+ organizations across twelve critical-infrastructure sectors, with the configuration material then used to pivot into a state Army National Guard network from March through December 2024.
Two takeaways matter here. First, the technical pattern — exploit router software, sit on the control plane, redirect or copy data plane traffic, abuse purpose-built surveillance interfaces — is known to work and known to scale to multiple major carriers simultaneously. Second, the public record shows Salt Typhoon did not need frontier-grade vulnerability discovery to achieve strategic effects. Stolen credentials and unpatched seven-year-old CVEs were sufficient. That the same playbook ran successfully against tier-1 telecoms with current-generation tooling makes AI-accelerated bug discovery more concerning, not less: Mythos changes the supply side of an attack pattern that already worked.
The natural defender response is to point at the encryption layers riding over carrier networks: MACsec at Layer 2, IPsec at Layer 3, OTNsec and vendor-proprietary optical encryption (Ciena WaveLogic, Nokia ANYsec, Cisco WAN MACsec) at the transport layer, plus TLS and application-layer cryptography on top. The right way to read this is layered: encryption does not disappear, but its protective value depends on where the trust boundary sits relative to the compromise. Application-layer end-to-end encryption remains opaque to a transit router. Link, transport, VPN, lawful-intercept, inspection, and orchestration layers often terminate inside infrastructure the attacker may now control. The threat is not magical TLS decryption. The threat is compromise of the machinery that routes, mirrors, terminates, logs, keys, and mediates traffic.
The decisive fact is where each encryption boundary terminates. When deployed as device-terminated link or tunnel encryption, MACsec, IPsec, and optical-layer encryption terminate at the network device. (IPsec specifically can also be host-to-host, site-to-site over CPE, or carrier-managed; what follows assumes the device-terminated case that dominates carrier transport and provider-edge deployments.) The cleartext at that layer exists inside the box for forwarding decisions, classification, queueing, and policy enforcement. An attacker holding the control plane of that device — root on IOS XE, level-15 on SR OS, sysadmin on a Ciena NE — is on the operator side of the cryptographic boundary by construction. Whether that yields anything useful depends on what kind of compromise was achieved and how the device is architected. Four cases, in roughly increasing order of how well they survive control-plane root:
Easy. The keys never leaving silicon is a different claim from the traffic never leaving the box. SPAN/RSPAN/ERSPAN, port mirroring, policy-based routing, ACL bypass, GRE tunnels — these are configuration-level surfaces that route around the cryptographic boundary rather than through it. Salt Typhoon's GRE tunnels are the canonical case: the forwarding and crypto layers can have behaved as configured while the operator policy was rewritten to copy selected flows to adversary infrastructure. Some of those flows remain encrypted at higher layers (TLS, QUIC, customer-managed IPsec, application-layer crypto). The operational point is not that everything copied is decrypted application content; it is that the router has become an adversary-controlled collection point with selective access to plaintext at whatever encryption layer the carrier or device terminates. Encryption disable, downgrade, and lying to the NMS about encryption status fall in the same class of configuration-level attacks.
CALEA and equivalent regimes globally require carriers to maintain a designated tap point that delivers plaintext content to authorized parties. The mediation device sits after any link-layer or transport encryption — that is its purpose. Salt Typhoon's compromise of these subsystems is the demonstration: the surveillance backbone that exists by regulatory mandate is also the easiest place to extract bulk plaintext, and it sits in software that has historically received less security investment than the data plane.
The Salt Typhoon DHS report flagged 1,400+ stolen configurations as the pivot mechanism into a state Army National Guard network. A device configuration discloses topology, peering relationships, customer VRFs, MPLS label assignments, MACsec pre-shared keys when stored in clear or recoverable form, and the operational shape of a customer's network. NMS and orchestration platforms (Blue Planet, Crosswork, Network Services Orchestrator) hold the same intelligence at higher concentration and lower telemetry coverage. An attacker with control-plane access and patience can extract the metadata needed to attack the customer's customers, even when no payload was ever decrypted.
Hard. Implementation details vary by platform, SKU, certification boundary, and deployment mode, but in high-assurance transport and MACsec systems — Ciena WaveLogic, Nokia ANYsec, Adva ConnectGuard-class gear, the high-end Cisco WAN MACsec implementations — AES-GCM is often implemented in dedicated silicon (coherent DSP integration or a separate crypto ASIC) with keys living in OTP fuses or sealed NVRAM. A well-implemented FIPS 140-3 Level 3 boundary genuinely defeats this attack vector from a software-rooted attacker. Two qualifications keep this from being a backstop. First, FIPS Level matters and is often misread: most carrier transport gear is Level 2 (tamper evidence, after-the-fact detection), Level 3 shows up on dedicated HSM line cards and high-assurance optical SKUs, Level 4 is rare. The validated module in many cases is a specific linked library — OpenSSL FIPS object module or vendor fork — running in the same address space as the main software, not a separate silicon partition. Second, the firmware running inside even a real hardware boundary is software, often C, and not typically subjected to the same security review as the main control plane. The Mozilla case is exact: Mythos-class harnesses find bugs in the JIT and the RLBox sandbox — equally specialized internal subsystems. The hardware boundary protects against external memory access; it does not make the firmware inside that boundary correct.
Application-layer end-to-end encryption (Signal, properly-implemented TLS 1.3 with PFS, modern QUIC) survives all four cases for payload content. What is not opaque even in that scenario: source/destination IP pairs, flow timing, byte volume, SNI values pre-ECH, DNS queries unless encrypted, BGP control traffic, NetFlow/IPFIX exports, and any traffic the device is configured to mirror. For state-level adversaries, metadata at scale is often the prize.
The threat model is an asymmetry-over-time question. The relevant variable is which categories of actor hold Mythos-equivalent capability at which dates. Specific timelines below are scenario analysis, not forecast — confidence drops sharply outside the named-partner case. A reasonable reading of the public record:
Nokia's 2024 and 2025 Threat Intelligence Reports describe cyberattacks against telecom infrastructure accelerating as attackers fold in generative AI and automation. In Nokia-monitored networks between June 2023 and June 2024, DDoS frequency rose from one or two attacks per day to well over 100 per day in many networks, with traffic up 166% and botnets accounting for roughly 60% of monitored volume. The 2025 report shows the trend intensifying: terabit-scale DDoS five times more frequent, 37% of attacks finishing within two minutes, 4% of global home internet connections compromised, and roughly two-thirds of telecom operators reporting at least one living-off-the-land intrusion in the prior twelve months. Different capability class than Mythos-style vulnerability discovery; same macro-pattern. Automation collapses attacker cost curves faster than operators can retire exposed infrastructure.
The defensive window — the time between defender access and broad attacker access — is the variable that matters. Anthropic's strategic bet with Glasswing is that this window can be made wide enough for partners to harden their own software before equivalent capability proliferates. The bet is contestable but not unreasonable.
The Glasswing partner list is the most consequential shape of the capability landscape, and it is uneven in a way that matters for the network-equipment question. Cisco is a launch partner. Their Chief Security & Trust Officer's quoted position — "the old ways of hardening systems are no longer sufficient" and "providers of technology must aggressively adopt new approaches now" — and their public partner status make IOS XE, IOS XR, NX-OS, and the ASA/FTD codebase obvious candidates for defensive scanning under the program. Anthropic states there is no general availability planned for Mythos Preview; access is through Glasswing participants under contract.
What is unknown matters as much as what is known. Anthropic states that beyond the twelve named launch partners, access has been extended to "over 40 additional organizations that build or maintain critical software infrastructure," none of which are listed publicly. Carrier and hyperscaler networking vendors — Nokia, Juniper, Arista, Ciena, Infinera (now under Nokia), Adva, Calix, Adtran, and others — could be among those 40, or not. The public record does not say. Vendors with credible national-security exposure (Huawei, ZTE) are almost certainly excluded from a US-led program; western vendors might be inside or outside, and outside observers cannot tell. Some of these companies also have access to comparable capability through other channels — Google's Big Sleep and CodeMender programs, Microsoft's internal red-team tooling, or direct relationships with frontier labs not announced as Glasswing partners.
The defender story for the named partners is comparatively clear. For the rest of the carrier and optical equipment stack, the situation is opaque from outside. A given vendor's bug stock is either being drained on a Glasswing timeline, being drained through a separate frontier-lab relationship, or not being drained at any meaningful rate. An external threat-modeler cannot distinguish these states with the information currently public.
The structural concern survives the uncertainty. Even under the most optimistic assumption — that all major western network equipment vendors have some form of Mythos-class capability access — coverage is uneven across product lines, code ages, and acquisition lineages. A vendor's flagship router OS will get attention before its acquired optical management platform; control-plane code will be audited before line-card firmware; supported releases before end-of-life equipment still in production deployment. And the asymmetric window only matters until adversary capability reaches parity. Anthropic's own framing — "it will not be long before such capabilities proliferate" — sets the upper bound.
Firefox is C++, has accessible source, and has a well-defined input surface (web content). Network OSes are a mix of proprietary microkernels, vendor-modified Linux, and binary-only blobs, with attack surfaces that include hardware-specific datapath ASIC drivers. The claim that Mythos transfers cleanly is an extrapolation.
Lean: Partially valid but probably wrong on net. The Firefox subsystems Mythos cracked (RLBox, JIT, IPC marshalling, GC) are at least as specialized as any single network OS subsystem. Vendor-supplied SDK headers and protocol RFCs are a stronger context base than the public web standard documents the Firefox harness worked from. The transfer is not free, but the harness engineering is the bottleneck, not the underlying capability.
Glasswing is real. The Cisco quote is real. Hardening pipelines using the same models that enable the threat could outrun adversary capability if the defensive window is wide enough.
Lean: True for partner vendors at the margin, almost certainly false for the long tail. Cisco has a first-mover chance to drain some of the highest-risk bug stock in its most important portfolios; its customers still cannot patch at AI-discovery speed. The Salt Typhoon campaign exploited a CVE that was seven years old at time of use. Carrier patching cycles are measured in quarters; some installed equipment is past end-of-software-support and will never receive patches at all. The asymmetry between vulnerability discovery rate and operator patch rate is the structural problem, and it widens as discovery accelerates.
GRE tunnels exfiltrating customer traffic, configuration changes on production routers, and lawful-intercept-system tampering all produce telemetry. Modern XDR and NDR stacks should see this.
Lean: Partially true, evidently insufficient. Salt Typhoon ran in tier-1 carriers — organizations with mature SOCs, the best telemetry, and government clearance pipelines — for two to three years before public detection. The "living off the land" tradecraft (legitimate admin tools, expected protocols) is purpose-built to defeat detection in environments that already trust router-originated traffic. AI-augmented detection on the defender side is the natural counter, but it is not a finished product.
Anthropic benefits from framing AI cyber capability as a national-security-grade phenomenon: it justifies the Responsible Scaling Policy, supports policy positions favorable to frontier-lab consolidation, drives enterprise sales, and shapes the regulatory conversation in directions that advantage incumbents.
Lean: All true; mostly orthogonal to whether the technical claim is correct. The Mozilla blog post is independent third-party validation. Cisco, Microsoft, AWS, Palo Alto Networks, and CrowdStrike all corroborated specific operational use. UK AISI's evaluation is independent. The benchmark numbers (CyberGym 83.1%, SWE-bench Verified 93.9%) are reproducible by partners. The capability claim is not synthetic. The policy framing is downstream of a real technical fact, even if the framing itself is also strategic.
A compromised control plane does not always imply arbitrary access to plaintext in ASIC pipelines, optical modules with FIPS 140-3 boundaries, HSM-backed key stores, or physically separated mediation systems. Carrier-grade transport often has meaningful separation between management software and the silicon doing line-rate crypto.
Lean: Valid blast-radius limiter, not a full defense. Hardware-rooted crypto boundaries genuinely block direct symmetric key extraction from a compromised control plane — that is real and matters for retrospective decryption of historical captures. They do not block configuration-driven plaintext exfiltration (mirrors, GRE tunnels, ACL bypass), encryption disable or downgrade through the management interface, or memory-safety bugs in the firmware running inside the crypto boundary. Salt Typhoon's playbook needed none of the things these boundaries protect against. The hardware separation is best understood as constraining which compromise paths are easy, not as a backstop against device-level adversarial access.
Firefox may be unusually well-instrumented for AI-driven harness workflows: open source, widely-deployed, with a mature internal fuzzing infrastructure that the harness could plug into. Other targets may resist this approach for reasons not yet visible. "High severity" classifications by vendor PSIRT teams also do not map cleanly to reliable practical exploitation.
Lean: Valid. Sample bias is real and the headline numbers should be discounted accordingly. But Mozilla's independent post and AISI's controlled evaluations both support the broader claim that model-plus-harness vulnerability discovery has crossed a material threshold relative to prior generations. The thesis does not require every codebase to yield 271 bugs; it requires the technique to be productive against network equipment specifically. The Bayesian prior on that, given the Firefox demonstration, is high.
An honest summary: the question "could organizations with Mythos-level access find vulnerabilities in network equipment software and reach the data riding over those networks" is no longer a hypothetical. The component capabilities all exist and have been demonstrated separately. AI-driven vulnerability discovery against hardened C/C++ codebases works at a pace the industry has not seen before. Network equipment software is exactly the kind of hardened C/C++ codebase the technique was demonstrated on. The path from compromised network gear to traffic and metadata is operationally proven by Salt Typhoon, even though that campaign predated AI-accelerated discovery and used much older tools. Encryption is a real but partial defense whose protective value depends on where the trust boundary sits — not a magical TLS-decryption defeat, but a question of which machinery routes, mirrors, terminates, logs, keys, and mediates traffic, and whether that machinery is now in the attacker's control. Defender access to Mythos-class capability across the global vendor stack is opaque to outside observers and almost certainly uneven.
The actionable defender questions are not whether the capability exists but how the timeline plays out: how fast can vendors who do have access drain their own bug stock, how quickly does adversary capability proliferate, how aggressively can operators force patch cycles on a customer base that historically refuses them, and which intermediate layers (BGP route validation, end-to-end encryption coverage, telemetry-driven anomaly detection, hardware roots of trust, separation of management and data planes) can absorb compromise of the underlying equipment software.
None of those questions has a clean answer in May 2026. What is clear is that the dominant assumption underlying carrier network security — that the equipment software is hard enough to attack that it functions as a trust anchor — is degrading. The Mozilla post, read carefully, is a notice that the regime change has already happened in browsers. There is no structural reason it stops there.