Zero-Day Vulnerabilities and Legal Data Security

In March 2025, Anthropic's Claude discovered CVE-2025-37899, a use-after-free vulnerability in the Linux kernel's SMB implementation that had existed undetected for years. The model found it not through brute-force scanning but through reasoning about code logic. It identified a flaw that thousands of human security researchers had missed across decades of kernel development. Anthropic's Claude Mythos research, detailed at /legal/claude-mythos/, confirmed that AI models are now capable of finding zero-day vulnerabilities at a speed and scale humans can't match.

For law firms, this changes the threat model entirely. Firms hold some of the most sensitive data in any industry: privileged communications, litigation strategy, merger details, settlement terms, IP portfolios, and personal client information. That data sits on infrastructure built with the same code that Mythos found flaws in. The same AI capability that helps a security researcher find bugs also helps an attacker find entry points.

This isn't a future risk. It's a current one. And most law firms aren't equipped to handle it.

What Zero-Day Vulnerabilities Are and Why They Matter Now

A zero-day vulnerability is a software flaw that the vendor doesn't know about and hasn't patched. It's called "zero-day" because the vendor has had zero days to fix it. Attackers who discover these flaws can exploit them before any defense exists.

Before AI-powered vulnerability discovery, finding zero-days required deep expertise and significant time. A skilled security researcher might find one or two per year in a major codebase. AI changes that math completely. Mythos-class models can analyze millions of lines of code and identify vulnerability patterns in hours. That means both defenders and attackers now have access to tools that find flaws faster than human teams can patch them.

The specific vulnerability Mythos found (CVE-2025-37899) was in Linux kernel code that handles SMB network file sharing. SMB is used by virtually every law firm for internal file access. The flaw allowed a specially crafted network request to trigger a use-after-free condition, potentially giving an attacker access to kernel memory. This is the kind of bug that enables lateral movement through a network once an attacker has initial access.

The Linux kernel is open source and reviewed by thousands of developers. If a flaw this serious survived in that codebase, the proprietary software your firm runs, which gets far less scrutiny, almost certainly has similar issues.

Why Law Firms Are High-Value Targets

Law firms rank in the top five targets for sophisticated cyberattacks, according to the American Bar Association's 2025 TechReport. The ABA survey found that 29% of firms reported a security breach at some point, with the number rising to 36% for firms over 100 attorneys.

The reason is straightforward: law firms are data aggregators. A single firm handling M&A work holds material non-public information that's worth millions in insider trading value. A firm handling class action litigation holds the personal data of thousands of plaintiffs. A firm doing patent work holds trade secrets. All of it is protected by attorney-client privilege, which makes the data even more valuable to attackers because the firm can't easily disclose the breach without further compromising clients.

AI-discovered zero-days make this worse in two ways. First, attackers using AI tools can find vulnerabilities in the specific software your firm runs. They don't need generic attacks. They can target the exact version of your document management system, your email server, or your VPN appliance. Second, AI-generated exploits can be customized quickly. The time between discovering a vulnerability and weaponizing it shrinks from weeks to days.

The Cravath, Swaine & Moore breach in 2016 and the Jones Day breach via Accellion in 2021 both involved exploiting known software vulnerabilities. AI-powered discovery means the next generation of attacks will use flaws nobody knows about yet.

What Your Firm's Security Posture Needs to Change

Traditional law firm cybersecurity focuses on perimeter defense: firewalls, endpoint protection, email filtering, and user training. These are necessary but insufficient against zero-day attacks. If the vulnerability doesn't have a signature, your antivirus won't catch it. If the exploit uses a legitimate protocol like SMB, your firewall won't block it.

The shift is from prevention-only to detection and containment. Your firm needs to assume that breaches will happen and build systems that detect unusual behavior even when the attack vector is unknown.

Network segmentation is the first priority. Client data should not be accessible from the same network segment as general internet-facing services. If an attacker exploits a zero-day in your web-facing application, segmentation prevents them from reaching the document management system.

Behavioral monitoring is the second. Tools that baseline normal network traffic and flag anomalies can detect exploitation even without knowing the specific vulnerability. If a server that normally handles 100 SMB connections per hour suddenly processes 10,000, that's a signal.

Patch velocity matters more than ever. When vendors release patches for newly discovered vulnerabilities, your firm needs to deploy them within hours, not weeks. The window between public disclosure and active exploitation has shrunk to under 24 hours for critical vulnerabilities. Your IT team or managed security provider needs a documented, tested process for emergency patching.

What This Means for Your Firm

Conduct a software inventory immediately. Document every application, server, and network device your firm uses, including versions. Cross-reference that inventory against published CVE databases. Any unpatched critical vulnerability is an open door.

Evaluate your data architecture. Where is privileged client data stored? How many systems can access it? The fewer paths to sensitive data, the smaller the attack surface. If your entire firm can access all client files from any device on the network, you're one zero-day away from a catastrophic breach.

Invest in managed detection and response (MDR). Most firms under 200 attorneys don't have the internal team to run a 24/7 security operations center. MDR providers offer continuous monitoring with AI-powered behavioral analysis. The cost is a fraction of a single breach response.

Review your AI vendor contracts through a security lens. If your firm uses AI tools that connect to your network or access your file systems, those tools are part of your attack surface. The vendor contract requirements framework covers the data handling provisions you need. Build your incident response plan now, before you need it.

The Bottom Line: AI just made zero-day discovery faster and cheaper for both sides. Law firms that don't upgrade from perimeter defense to detection-and-containment security are sitting on breaches they haven't found yet.