Microsoft Corp. today detailed a new AI-powered vulnerability discovery system, codenamed MDASH, that uncovered 16 previously unknown flaws in Windows networking and authentication components. Among them are four critical remote code execution bugs patched in this month's Patch Tuesday release.
The system orchestrates more than 100 specialized AI agents across frontier and distilled models to find, debate, and prove exploitable bugs. The vulnerabilities span the Windows TCP/IP stack, IKEEXT IPsec service, HTTP.sys, Netlogon, DNS, and the Telnet client-most reachable from the network without credentials.
Two critical bugs highlight the system's capability: CVE-2026-33827, an unauthenticated use-after-free in tcpip.sys triggered by crafted IPv4 packets, and CVE-2026-33824, a double-free in the IKEv2 service yielding code execution as LocalSystem.
Microsoft says MDASH outperforms single-pass scanners. On the public CyberGym benchmark spanning 1,507 real-world vulnerability reproduction tasks, MDASH scored 88.45%-the top result on the leaderboard, roughly five points ahead of the next entry. On a private test driver with 21 planted vulnerabilities, it identified all 21 with zero false positives.
The architecture runs as a pipeline of prepare, scan, validate, dedup, and prove stages, with specialized models handling heavy reasoning, distilled models for cost-effective debate, and domain plugins injecting kernel calling conventions and trust boundaries.
Taesoo Kim, vice president of agentic security at Microsoft, says the durable advantage lies in the agentic system around the model, not any single model. The team behind MDASH includes members from Team Atlanta, winners of the $20 million DARPA AI Cyber Challenge.