























Bharti Airtel and Vodafone Idea are reviewing the security practices of their network software vendors after Claude Mythos Preview, an artificial intelligence (AI) model released by US-based Anthropic on April 7, autonomously found and exploited software vulnerabilities that had survived decades of human review, Moneycontrol reported.
India’s nodal cybersecurity agency, the Indian Computer Emergency Response Team (CERT-In), issued a High-severity rating advisory on April 26, directly citing the AI model, warning organisations to treat every newly disclosed vulnerability as exploitable within hours, not weeks.
Why this matters for ordinary users: Airtel and Vodafone Idea (Vi) hold the call records, location data, and payment information of hundreds of millions of Indians. Their core network software runs on systems built and maintained by vendors like Nokia, Ericsson, and Samsung, meaning the operators themselves cannot patch vulnerabilities. An AI that finds those vulnerabilities faster than any human team compresses the window for attackers to exploit them before a fix arrives.
What Claude Mythos is, and why it matters: Every app, website, and telecom network runs on software. That software has bugs, some hidden for years, even decades, that attackers can exploit to break in and steal data. Finding those bugs has always required rare, expensive human expertise and months of painstaking work. That is the only reason most of them stayed hidden for so long.
Claude Mythos Preview changes that. It is an AI model that can read software code, identify hidden flaws, and figure out how to exploit them, entirely on its own, in hours, across thousands of programmes simultaneously. It does not get tired, does not need a salary, and does not need a decade of security training. Anyone with access to it gets, effectively, an army of expert hackers available at the push of a button.
To understand the scale of what it found during testing: Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser. A zero-day vulnerability is a flaw that even the software’s own developers did not know existed; there is no fix available the moment it is discovered, so whoever finds it first, defender or attacker, holds a complete advantage. Confirmed examples from Anthropic’s red team blog:
Why Anthropic restricted it: Anthropic acknowledged that the same capabilities that can bolster cyber defences can also be weaponised by attackers, and privately warned top government officials that Mythos makes large-scale cyberattacks significantly more likely this year. Rather than a public release, Anthropic launched Project Glasswing, a $100 million initiative giving access to critical industry partners, including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and Nvidia, to use Claude Mythos Preview for defensive security work. No Indian company features among the named partners.
What CERT-In said: The April 26 CERT-In advisory, issued under the Ministry of Electronics and Information Technology (MeitY), tells organisations to:
What Airtel said: Airtel’s chief technology officer, Randeep Sekhon, speaking at a Cellular Operators Association of India (COAI) event, confirmed the company is in active discussions with its suppliers, saying “we don’t do this, the software is owned by them.” Sekhon said vulnerabilities flagged so far are incremental software bugs rather than systemic infrastructure threats and that the government had not yet directly approached telecom operators on the issue.
What Vi said: Vodafone Idea’s chief executive, Abhijit Kishore acknowledged the growing focus on advanced AI systems and their ability to detect vulnerabilities and potential data security risks, without confirming specific partnerships or fix timelines.
What the Finance Ministry and banks are doing: Finance Minister Nirmala Sitharaman, on April 23, chaired a meeting with bank chiefs, Reserve Bank of India (RBI) officials, and MeitY representatives to assess the risks Claude Mythos poses to India’s financial systems. Sitharaman described the risks as “unprecedented” and called for a real-time threat intelligence sharing system across banks, CERT-In, and other agencies. Key outcomes of the meeting:
The National Payments Corporation of India (NPCI) wants early access to Claude Mythos to identify zero-day vulnerabilities in India’s payment systems before the AI model deploys more widely. However, India’s 2018 data localisation rules require payment system providers to store all transaction data exclusively on servers within India, while Mythos runs on strictly controlled servers in the United States, creating a direct compliance conflict that NPCI has not publicly resolved.
Furthermore, Bloomberg reported on April 21 that a small group of unauthorised users gained access to Mythos through a third-party vendor environment on the same day the model was announced, raising questions about whether restricted access controls are as airtight as Anthropic claims.
CERT-In’s compliance track record: The April 26 advisory is not CERT-In’s first attempt to enforce tight cybersecurity timelines. Its 2022 cybersecurity directions required all organisations to report incidents within six hours of detection, a mandate MediaNama reported at the time that cybersecurity experts called “a complete joke” and “not feasible at all”. The directions faced such pushback that CERT-In extended the compliance deadline for micro, small, and medium enterprises (MSMEs).
CERT-In’s 2022 annual report, which revealed it handled nearly 14 lakh cyber incidents that year, contained no statistics on how many entities actually complied with the directions. The new 24-hour patch requirement raises the same enforcement question.
The data protection angle: Airtel, Vi, and banks all qualify as data fiduciaries under the Digital Personal Data Protection Act, 2023 (DPDPA). As MediaNama has reported, a successful AI-driven breach of systems owned by their software vendors would constitute a personal data breach under the DPDP Rules, 2025, requiring data fiduciaries to notify affected users without delay and submit a detailed report to the Data Protection Board within 72 hours. Failure to report a breach carries a fine of up to Rs 200 crore. Neither Airtel nor Vi has clarified whether their current vendor contracts include mandatory patch timelines consistent with CERT-In’s 24-hour requirement.
A note of caution: Security researcher Bruce Schneier argued that a separate firm replicated some findings using older, cheaper models and that Project Glasswing is partly a PR exercise. Anthropic itself acknowledged that the long-run outcome is likely to favour defenders but warned that the transitional period will be fraught.
Also read:
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。