Skip to main content
Writing
·Paper Review·9 min read

VEXAIoT: Autonomous IoT Vulnerability EXploitation using AI Agents

VEXAIoT is an autonomous multi-agent AI framework that coordinates a vulnerability detection agent and an attack execution agent to scan, plan, and exploit IoT-specific vulnerabilities using LLMs and

AI Security
Contents

VEXAIoT: Autonomous IoT Vulnerability EXploitation using AI Agents Image generated by AI

TLDR

  • What: VEXAIoT is an autonomous multi-agent AI framework that coordinates a vulnerability detection agent and an attack execution agent to scan, plan, and exploit IoT-specific vulnerabilities using LLMs and offensive tools.
  • Who's at risk: Smart home deployments, routers running OpenWrt, and legacy embedded systems exposed to network-level attackers.
  • Key number: Achieved a 95.0% overall attack success rate across 260 autonomous executions, with average execution times under two minutes for most attacks.

VEXAIoT: Autonomous IoT Vulnerability Scanning and Multi-Agent Exploitation

With the rapid expansion of the Internet of Things (IoT)—projected to exceed 39 billion connected devices by 2030—the security of embedded systems has become a critical bottleneck. Legacy systems and smart home deployments often suffer from unpatched CVEs, weak default credentials, and insecure ecosystem interfaces. This post analyzes VEXAIoT, a new multi-agent AI framework designed to autonomously discover, plan, and exploit vulnerabilities across heterogeneous IoT environments, bringing the power of agentic workflows to red-teaming embedded systems.


Threat Model

Attacker Network-level access to the target IoT environment with no physical access assumed. Capable of executing standard scanning tools (nmap) and interacting with open-source offensive security tools via an attacker-controlled machine (e.g., Kali Linux).
Victim Connected IoT devices and virtualized IoT environments running embedded software (such as OpenWrt in the IoTGoat environment) or legacy UNIX services (such as Metasploitable2).
Goal Gain unauthorized access, exfiltrate personally identifiable information (PII), install persistent backdoors, execute arbitrary commands (RCE), disable target services via Denial of Service (DoS), or clear security logs.
Budget Zero-day vulnerability knowledge is not required. The attack relies entirely on public exploit databases (searchsploit), common pentesting tools, and low-cost API queries to a reasoning LLM (such as ChatGPT).

Background / Problem Setup

Traditional vulnerability scanners and automated exploit tools rely heavily on static, rule-based workflows. When an exploit script fails due to minor network variations or target configurations, static systems cannot adapt. While recent research has integrated Large Language Models (LLMs) to automate penetration testing, these frameworks primarily focus on structured Capture-the-Flag (CTF) environments or enterprise IT networks, leaving the highly heterogeneous and resource-constrained domain of IoT largely unexplored.

Approach Autonomous? Target Environment Adaptability to Feedback IoT Specific?
PentestGPT (Deng et al.) Semi-autonomous (Human-in-the-loop) General Enterprise IT Medium (Relies on user prompt guidance) No
AutoAttacker (Xu et al.) Autonomous General Network CTFs High No
Autopentester (Ginige et al.) Autonomous General CTF Problems High (Adaptive command adjustments) No
Rule-Based Frameworks (Akhilesh et al.) Autonomous Smart-home IoT Low (Fails on unexpected output) Yes
VEXAIoT (This Work) Fully Autonomous IoT-Specific & Legacy UNIX High (Automated retries, dependency tracking) Yes

Methodology

VEXAIoT separates vulnerability analysis and exploit execution into two independent but tightly coordinated AI agents, as shown in the architecture diagram (Figure 1).

                      +-----------------------------+
                      |  Vulnerability Detection    |
                      |            Agent            |
                      +--------------+--------------+
                                     |
                         Scans and plans attack
                                     |
                                     v
                      +-----------------------------+
                      |  Attack Execution Agent     |
                      +--------------+--------------+
                                     |
                         Executes command/exploit
                                     |
                                     v
                      +-----------------------------+
                      |        Target Device        |
                      |   (IoTGoat / Metasploitable) |
                      +-----------------------------+

Step 1: Reconnaissance & Vulnerability Mapping

The Vulnerability Detection Agent initiates a scan of the target IP using nmap. The output, including open ports and software versions (e.g., dnsmasq 2.73 or Dropbear sshd), is passed to searchsploit. searchsploit queries the local Exploit Database to retrieve matching CVEs and public exploit scripts.

Step 2: Coordinated Attack Planning

The collected data is compiled into a structured system prompt. VEXAIoT uses role-based task framing to minimize LLM refusal behavior. Rather than explicitly describing offensive tools as malicious utilities, the prompt describes the functional capabilities of each available tool.

The LLM (specifically evaluated using ChatGPT 5.1 thinking) analyzes the scan data to build a dependency-aware attack sequence. For example, it identifies that a Man-in-the-Middle (MitM) credential grab must occur and succeed before executing attacks that depend on having collected credentials.

Step 3: Command Generation & Execution

Once the plan is generated, specific vulnerability contexts and scripts are passed to the Attack Execution Agent. This agent parses instructions, selects the appropriate tool (e.g., bettercap, John the Ripper, or a python exploit script), and formats the exact command-line string.

Step 4: Execution & Feedback Loop

The generated command is executed in a subprocess. The output, along with any success or failure indicators, is captured and sent back to the Vulnerability Detection Agent:

  • Success: The agent validates the output against attack-specific success criteria (see Table I) and triggers the next attack in the queue.
  • Failure: The detection agent analyzes the error logs, adjusts the execution strategy, and commands the execution agent to retry with modified parameters (Algorithm 1 & 2).

Key Results

The framework was evaluated across 20 trials for 10 distinct attack scenarios in IoTGoat (an OpenWrt-based testbed) and 3 scenarios in Metasploitable2.

Attack Success Rates (IoTGoat)

Table III outlines the success rates across 200 total executions in the IoTGoat environment:

Attack Scenario Successes Failures Success Rate
Hardcoded user password 18 2 90.0%
Open MiniUpnp backdoor 16 4 80.0%
XSS Attack 20 0 100.0%
Developer Backdoor 20 0 100.0%
Update Attack 20 0 100.0%
DNS DoS Attack 16 4 80.0%
Database PII 20 0 100.0%
MitM credential grab 19 1 95.0%
Log erase 20 0 100.0%
RCE Attack 20 0 100.0%
Total (IoTGoat) 189 11 94.5%

Execution Time and Token Overhead

As detailed in Table V, most attacks were completed rapidly, with 8 out of 10 attacks executing in under one minute:

Attack Mean Time (seconds) Mean Time for LLM Reasoning (seconds) Mean Tokens
Hardcoded user password 139 28 690
Open MiniUpnp backdoor 28.44 26.15 530
XSS Attack 24.53 19.97 670
Developer Backdoor 46.03 44.04 520
Update Attack 51.12 49.92 540
DNS DoS Attack 37.81 22.32 920
Database PII 102 54.39 1480
MitM credential grab 15.63 14.44 620
Log erase 54.00 53.51 1390
RCE Attack 13.03 11.75 460

Failures and Refusals

A critical look at the failure modes (Table IV) reveals the bottlenecks of deploying commercial LLMs for offensive tasks:

  • Model Refusals (5 trials): The LLM declined to generate attack-related instructions. These accounted for two MiniUPnP failures and three DNS DoS failures.
  • Persistent Syntax Errors (5 trials): The agent generated malformed or incomplete parameters that were not corrected during retry attempts. These occurred twice in the hardcoded password attack, twice in the MiniUPnP attack, and once in the DNS DoS attack.
  • Hallucination (1 trial): Occurred only once during the MitM credential interception experiment.

Limitations & Open Questions

  1. Model Reporting and Replication: The paper repeatedly references using "ChatGPT 5.1 thinking." This non-standard version label lacks industry definition, which makes exact replica testing of the LLM pipeline's decision-making logic difficult to verify.
  2. Virtual vs. Physical Testbeds: The entire evaluation was conducted within simulated virtual environments (IoTGoat running on virtualized OpenWrt, and Metasploitable2 VMs). Real-world IoT devices introduce hardware constraints, physical timing anomalies, and wireless communication drops that could alter the success rates.
  3. Exploit Database Dependency: VEXAIoT relies entirely on mapping nmap outputs directly to searchsploit entries. It is designed to work with public, existing exploit databases and is not evaluated for identifying zero-day conditions or logical flaws in proprietary IoT interfaces without prior public documentation.

What Practitioners Should Do

If you are defending or deploying IoT devices, prioritize the following steps:

  1. Disable Unused Protocols & UPnP: Disallow unauthorized port configurations by disabling Universal Plug and Play (UPnP) daemons. The MiniUPnP service was exploited directly to open backdoors in 80.0% of the agent's trials.
  2. Enforce Strong Password Policies: Ensure default firmware credentials are changed immediately upon installation. VEXAIoT successfully recovered weak user passwords stored in the firmware in 90.0% of the runs.
  3. Validate Package and Update Signatures: Ensure your update manager verifies cryptographically signed firmware images. VEXAIoT successfully pushed malicious, unverified update payloads in 100.0% of its attempts.
  4. Implement Port Scanning and Network Monitoring Policies: Set up intrusion detection systems to trigger alerts upon detecting rapid, sequential network scans. VEXAIoT's vulnerability scanning phase relies heavily on nmap outputs, which can be detected by standard defense mechanisms.

The Takeaway

VEXAIoT highlights how multi-agent AI systems can reduce the execution time of complex, multi-stage IoT exploits to under two minutes. However, the study also reveals that the primary bottleneck for autonomous red-teaming isn't the execution of exploits, but the fragility of commercial LLMs to safety alignment refusals and syntax errors during complex command generation. For automated testing of legacy architectures, a combination of specialized models and strong parser schemas remains the most reliable path forward.


Den's Take

VEXAIoT's 95.0% success rate across 260 autonomous executions is a stark reminder of how rapidly agentic offensive capabilities are maturing. By splitting tasks between detection and execution agents, the framework successfully tackles the typical brittleness of traditional, static exploits. The average execution time of under two minutes is impressive, but we must look at the evaluation environment critically: virtualized platforms like IoTGoat (running OpenWrt) and Metasploitable2 are highly predictable. In the physical world, heterogeneous IoT networks present messy, non-standard protocols and physical timing anomalies that would likely degrade this success rate.

This work highlights a larger trend—the transition from passive LLM code generation to active, autonomous network-level actions. This is precisely why we need robust guardrails around agent execution. Integrating pre-execution gating mechanisms to audit and control autonomous agents before they execute potentially destructive commands on a network is a critical priority. While VEXAIoT shows the offensive potential of multi-agent collaboration, it also serves as a strong argument for why the defensive community must build runtime sandboxing and semantic auditing directly into agentic harnesses.

Share

Comments

Page views are tracked via Google Analytics for content improvement.