ZAST.AI has developed an innovative AI-powered code security platform that automates both the generation and validation of Proof-of-Concept exploits for discovered vulnerabilities. Unlike traditional static analysis tools that often produce high false positive rates, ZAST.AI’s solution ensures that only practically verified vulnerabilities are reported, effectively achieving a zero false positive rate. In 2025, ZAST.AI identified hundreds of zero-day vulnerabilities across dozens of popular open-source projects, including critical components like Microsoft Azure SDK, Apache Struts XWork, Alibaba Nacos, Langfuse, Koa, and node-formidable. These vulnerabilities encompass both syntax-level issues such as SQL Injection, Cross-Site Scripting (XSS), Insecure Deserialization, and Server-Side Request Forgery (SSRF), as well as semantic-level vulnerabilities including Insecure Direct Object References (IDOR), privilege escalation, and payment logic flaws. The company submitted these findings to authoritative vulnerability databases, resulting in 119 CVE assignments, with patches already issued by maintainers from major technology firms. ZAST.AI’s technology leverages advanced AI to deeply analyze code, automatically generate exploit PoCs, and execute them to confirm exploitability before reporting. This approach drastically reduces the manual verification burden on security teams and shortens remediation cycles. The recent $6 million Pre-A funding round, led by Hillhouse Capital, will support further R&D, product expansion, and global market development. The platform is already in use by multiple enterprise clients, including Fortune Global 500 companies, enhancing their vulnerability management capabilities by providing actionable, verified vulnerability reports.

For European organizations, the discovery of numerous zero-day vulnerabilities in widely adopted open-source components poses a significant security risk. Many European enterprises and government agencies rely heavily on open-source software for critical infrastructure, cloud services, and enterprise applications. Vulnerabilities in components like Microsoft Azure SDK and Apache Struts can lead to severe consequences including unauthorized data access, privilege escalation, business logic manipulation, and potential system compromise. The presence of verified PoCs means attackers could develop reliable exploits if patches are not applied promptly. This elevates the urgency for European organizations to reassess their vulnerability management processes and patching strategies. Additionally, the reduction of false positives through ZAST.AI’s technology can improve security team efficiency, enabling faster response times and reducing alert fatigue. However, organizations that do not adopt such advanced detection methods may continue to struggle with high false positive rates, increasing the risk of missing real threats. The overall impact includes potential data breaches, operational disruptions, financial losses, and reputational damage, especially for sectors with high regulatory scrutiny such as finance, healthcare, and critical infrastructure within Europe.

European organizations should prioritize the following specific mitigation steps: 1) Conduct an immediate inventory of open-source components in use, focusing on those identified by ZAST.AI such as Microsoft Azure SDK, Apache Struts, Alibaba Nacos, and others. 2) Apply all available patches and updates released by maintainers in response to the disclosed vulnerabilities without delay. 3) Integrate advanced AI-driven vulnerability detection tools similar to ZAST.AI’s approach to reduce false positives and improve the accuracy of vulnerability assessments. 4) Enhance vulnerability management workflows to include automated PoC validation where possible, ensuring that reported vulnerabilities are exploitable and actionable. 5) Increase collaboration with open-source communities and monitor authoritative vulnerability databases for timely updates. 6) Train security teams to recognize and prioritize semantic-level vulnerabilities, including business logic flaws, which are often overlooked by traditional tools. 7) Implement continuous monitoring and threat hunting focused on exploitation attempts targeting these known vulnerable components. 8) Engage in threat intelligence sharing with industry peers and government cybersecurity agencies to stay informed about emerging exploits. 9) Consider adopting a risk-based patch management strategy that prioritizes vulnerabilities with confirmed PoCs and high exploitability. 10) Evaluate the security posture of third-party vendors and cloud providers to ensure they are also addressing these vulnerabilities promptly.