Claude Mythos found a 27-year-old integer overflow in OpenBSD. Pause on that.
OpenBSD is the operating system that built its entire reputation on being security-reviewed continuously by some of the most paranoid engineers in the industry. The bug was in code that had been audited, fuzzed, re-audited, and stared at by experts for nearly three decades. And it was sitting there the whole time, findable in hours by an AI model that had never seen the codebase before.
Mythos also found a 16-year-old flaw in FFmpeg that survived more than five million automated fuzzing tests. FFmpeg is one of the most-fuzzed open-source codebases on the planet. Google's OSS-Fuzz infrastructure has been pounding it with random inputs continuously for over a decade. Academic papers have been written specifically about how to fuzz it effectively. The bug was there anyway. Five million tests did not find it. Mythos did.
Take these two findings together and the implication is brutal: every line of code written before 2025 was written under the assumption that human-grade adversarial review was the worst case it would face. That assumption was wrong. Every mature codebase you depend on is sitting on a population of latent zero-days that just became findable by anyone with a few thousand dollars of compute budget.
Now do the inventory in your head. Banks running COBOL workloads written in the 1980s. Hospitals running Windows Server 2012 because medical device certification cycles make upgrades slow. Industrial control systems running firmware from 2008. Insurance carriers running mainframe applications older than most of their employees. Government systems running middleware that nobody at the agency understands well enough to upgrade. All of it just got dramatically more dangerous, and nothing about the code itself changed. What changed is who can find the bugs in it.
The honest framing: legacy code stopped being a maintenance cost and became an active security liability. That is a category change, not a degree change. Maintenance costs you defer. Active security liabilities you address before regulators and incidents address them for you.
The traditional argument for keeping legacy systems running was always cost-versus-risk. Modernization is expensive. The risk of leaving the system alone seemed manageable as long as nothing bad had happened. The risk side of that equation just shifted by an order of magnitude. The vulnerabilities Mythos finds in OpenBSD are interesting curiosities. The vulnerabilities Mythos-class capability will find in your custom COBOL three years from now will be quietly devastating.
Three things every enterprise should do this quarter:
Inventory by risk concentration. Which systems are running code more than five years old, handle sensitive data, and are reachable from anything untrusted? That is your highest-priority modernization queue. Build the heat map now, not when an incident forces it.
Accelerate planned modernization. Most modernization plans assume multi-year horizons because the urgency was modest. The urgency just changed. Some of those plans need to compress.
Apply compensating controls aggressively for systems you cannot modernize fast. Network isolation. Identity boundaries. Comprehensive boundary logging so you can detect anomalous behavior even when you cannot patch the underlying flaw.
The legacy systems that cause incidents in 2027 will be the legacy systems whose owners did not start the work in 2026. The clock started this month.
Read the deep dive: Inside the Zero-Days Claude Mythos Discovered, full analysis of the OpenBSD and FFmpeg findings and what they reveal about every mature codebase you depend on.