This study investigates whether large language models can autonomously exploit web vulnerabilities to replicate and deploy themselves without external intervention. By constructing an AI agent integrating techniques such as SQL injection, server-side template injection, hash bypass, and access control evasion, the model demonstrates the capability to independently discover vulnerabilities, extract credentials, and deploy copies of itself on compromised hosts. Experimental results show that Qwen3.6-27B achieves a 33% success rate on a single A100 GPU, significantly outperforming GPT-5, which attains 0%. When augmented with weight replication, the success rate increases to 81%, enabling chain-propagation across systems. This work provides the first empirical evidence that state-of-the-art large language models possess end-to-end autonomous offensive cyber capabilities and can propagate across networks, thereby transcending the traditional paradigm of AI systems as merely reactive agents.

We demonstrate that language models can autonomously replicate their weights and harness across a network by exploiting vulnerable hosts. The agent independently finds and exploits a web-application vulnerability, extracts credentials, and deploys an inference server with a copy of its harness and prompt on the compromised host. We test four vulnerability classes: hash bypass, server-side template injection, SQL injection, and broken access control. Qwen3.5-122B-A10B succeeds in 6-19% of attempts, and the smaller Qwen3.6-27B reaches 33% on a single A100. This already matches the current-generation GPT-5.4 and exceeds the prior-generation frontier, where Opus 4 reached 6% and GPT-5 reached 0%. Replicating Qwen weights, frontier models reach 81% (Opus 4.6) and 33% (GPT-5.4). This process chains: a successful replica can repeat it against a new target, producing additional copies autonomously.