AXE: An Agentic eXploit Engine for Confirming Zero-Day Vulnerability Reports

TL;DR

AXE is a multi-agent framework that leverages minimal vulnerability metadata to improve automated exploitation success rates in web security testing, aiding vulnerability validation and triage.

Contribution

Introduces AXE, a novel multi-agent system that maps lightweight vulnerability metadata to exploits, significantly enhancing grey-box exploitation effectiveness over existing black-box methods.

Findings

Achieves 30% exploitation success rate on CVE-Bench, 3x better than baselines.

Grey-box metadata improves performance by 1.75x even with a single agent.

Produces actionable proof-of-concept artifacts for web vulnerabilities.

Abstract

Vulnerability detection tools are widely adopted in software projects, yet they often overwhelm maintainers with false positives and non-actionable reports. Automated exploitation systems can help validate these reports; however, existing approaches typically operate in isolation from detection pipelines, failing to leverage readily available metadata such as vulnerability type and source-code location. In this paper, we investigate how reported security vulnerabilities can be assessed in a realistic grey-box exploitation setting that leverages minimal vulnerability metadata, specifically a CWE classification and a vulnerable code location. We introduce Agentic eXploit Engine (AXE), a multi-agent framework for Web application exploitation that maps lightweight detection metadata to concrete exploits through decoupled planning, code exploration, and dynamic execution feedback. Evaluated on the CVE-Bench dataset, AXE achieves a 30% exploitation success rate, a 3x improvement over state-of-the-art black-box baselines. Even in a single-agent configuration, grey-box metadata yields a 1.75x performance gain. Systematic error analysis shows that most failed attempts arise from specific reasoning gaps, including misinterpreted vulnerability semantics and unmet execution preconditions. For successful exploits, AXE produces actionable, reproducible proof-of-concept artifacts, demonstrating its utility in streamlining Web vulnerability triage and remediation. We further evaluate AXE's generalizability through a case study on a recent real-world vulnerability not included in CVE-Bench.