Android ADB, Curl, and Exim Vulnerabilities: Key Questions Answered

This week in cybersecurity brought several notable vulnerabilities and patches. Google fixed a critical Android Debug Bridge (ADB) bug that could allow unauthorized network access, while AI tools like Mythos and XBow uncovered flaws in Curl and Exim software. Below, we answer six key questions about these incidents, explaining the risks, impacts, and what users should do.

What is the Android ADB bug and how does it work?

The Android Debug Bridge (ADB) bug, patched in May 2025, bypasses authorization when network debugging is enabled. Normally, ADB requires user approval for each new debug connection. However, a programming error treats certificate type mismatches as valid because the API returns -1 for a mismatch, and -1 is interpreted as 'true' in boolean logic. This allows an attacker with network access to connect to a device that previously had a trusted ADB connection, without user consent. The bug affects all Android versions since 2020. Exploitation requires wireless ADB enabled and at least one past trusted device. While unlikely for average users, developers using ADB over Wi-Fi should update immediately.

Who is most at risk from the ADB vulnerability?

Developers and power users who enable wireless ADB are at highest risk. The bug allows unauthorized network access if ADB is set to listen on a network interface and at least one device was previously authorized. However, the biggest concern is for vendors that rarely release security updates. Google patched it in the May security update for Pixel phones, but many budget Android manufacturers may delay or never provide the fix. Users of such devices should disable wireless ADB if they have it enabled, and avoid enabling it unless absolutely necessary. For most users who never use ADB, the risk is negligible.

Was Mythos AI successful in finding a Curl vulnerability?

Mythos, an AI model, identified five potential flaws in Curl, but after analysis, they condensed to a single, low-severity vulnerability. The issue is classified as "not particularly dangerous" and will receive a CVE and a patch soon. Curl is extremely widely deployed, with an estimated 20 billion instances, so any discovery matters. Daniel Stenberg, Curl's creator, noted that the lack of serious findings reflects the codebase's maturity and constant auditing. The Mythos experience demonstrates that while AI can assist in vulnerability discovery, manual review remains essential to separate real bugs from false positives.

Should Curl users be concerned about the Mythos-discovered bug?

Generally, no. The single vulnerability found is low-severity and unlikely to pose an immediate threat. Users should still apply the upcoming patch as a precaution. Curl's codebase has benefited from years of rigorous testing and audits, making it less prone to critical flaws. The Mythos AI interaction primarily highlighted the challenge of aligning AI security tools with real-world codebases. For most users, continuing to use current Curl versions is safe, but keeping software updated is always good practice.

What did XBow find in Exim using AI tools?

XBow, a security firm, used AI to discover a vulnerability in Exim, an open-source email transfer agent. The specific bug details are not yet fully disclosed, but it highlights how AI is being leveraged to find flaws in critical internet infrastructure. Exim is widely used on mail servers, so any vulnerability can have broad implications. The discovery underscores the dual role of AI in cybersecurity—both as a tool for attackers and defenders. XBow's findings will likely lead to a patch from the Exim maintainers. Server administrators should watch for updates and apply them promptly.

What lessons do these events teach about AI in vulnerability research?

The recent use of AI by Mythos and XBow shows that AI can identify potential vulnerabilities, but the results vary. Mythos's low-severity Curl bug suggests that mature, well-audited codebases resist even AI-based searches, while XBow's Exim find indicates AI can uncover real issues in complex software. These experiences stress that AI is not a silver bullet—human expertise is needed to verify and prioritize findings. As AI tools improve, they will become more useful, but for now, they complement traditional security practices rather than replace them. Organizations should continue regular code reviews and vulnerability assessments alongside exploring AI assistance.