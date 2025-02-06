During January Patch Tuesday, Microsoft credited Unpatched.ai for reporting multiple high-severity vulnerabilities, yet the AI-powered bug finding tool remains a mystery to the infosec community.

Last month, Microsoft addressed 159 new vulnerabilities that affected an array of the tech giant's widely used products. Among the flaws, Microsoft credited Unpatched.ai for discovering and reporting three remote code execution vulnerabilities, tracked as CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395. All three flaws affect Microsoft Access, its database management system, and received a CVSS score of 7.8.

While Microsoft credited Unpatched.ai for the findings, there is limited information on the AI-powered analysis and vulnerability reporting tool. Informa TechTarget contacted many infosec vendors and experts, but the inquiries often led to more questions.

On its website, Unpatched.ai markets itself as "vulnerability discovery by an AI-guided, cybersecurity platform." There is a link to reported bugs, but the list solely comprises Microsoft vulnerabilities, primarily those discovered in Microsoft Access. Under the contact page, Unpatched.ai said it works with "select enterprise, government and security vendors based in the U.S. and ally countries."

Under the "about" page, Unpatched.ai attributes silent patching as one reason for its vulnerability research.

"We find unpatched issues in software to help customers better identify and manage cyber risk. Many issues are unknown or silently fixed by software vendors, hiding the true risk profile of their products. With the help of AI, we are developing an automated platform to help find and analyze these issues for our customers," Unpatched.ai wrote on the website.

In addition to the website, Unpatched.ai also has an X account. However, the platform's few posts were deleted recently. One since-deleted post, on Jan. 29, warned users that the Microsoft patch for CVE-2025-21396 was insufficient.

Informa TechTarget contacted Microsoft regarding the post. "We are aware of these reports and will take action as needed to help protect customers," a Microsoft spokesperson said.

Microsoft did not respond to requests for additional background information on Unpatched.ai.

Informa TechTarget contacted Unpatched.ai but the platform did not respond to requests for comment.

Unpatched.ai warned users of an insufficient Microsoft patch on its X account, but the post was deleted last week.