Exploit Chains: Causally-Linked Attack Sequences
- Exploit chains are ordered, causally-linked sequences that combine individual vulnerabilities to achieve full system breaches.
- They span diverse domains—from code-reuse and hypervisor attacks to supply-chain compromises and agent-driven exploits—demonstrating key compositionality.
- Detection and automation leverage finite-state models and machine learning to assemble and monitor multi-stage exploit paths in real time.
Searching arXiv for the provided paper ids and closely related exploit-chain literature to ground the article in current research. Searching arXiv for "(Saha et al., 2023) exploit chain ML-FEED" Exploit chains are ordered, causally linked sequences of adversarial operations that transform an initial primitive into an end-to-end security outcome. The primitive may be a gadget in a code-reuse payload, a pointer-corruption vulnerability in a hypervisor, a known remote or privilege-escalation exploit in a network, a package-registry or dependency-layer compromise in a software supply chain, or a seemingly harmless tool call in an LLM agent. Across these settings, the defining property is compositionality: the security significance of the chain lies not in any isolated step, but in the cumulative effect of the sequence as a whole (Vishnyakov et al., 2020, Pan et al., 3 Dec 2025, Tan et al., 17 Mar 2026, Li et al., 30 Sep 2025).
1. Definitions and domain variants
The term exploit chain is used in several adjacent but non-identical senses. In automated code-reuse exploitation, an exploit chain is an ordered tuple of gadgets,
whose overall effect is the composition of gadget semantics on machine state (Vishnyakov et al., 2020). In hypervisor exploitation, an exploit chain is
taking the attacker from an initial pointer-corruption vulnerability to a final capability escalation such as arbitrary code execution in the host (Pan et al., 3 Dec 2025). In network planning, an exploit chain is a sequence such that successive exploits raise attacker privileges until the target host reaches root (Tulla et al., 9 Apr 2025). In software supply-chain security, exploit chains are end-to-end, multi-stage sequences of adversary actions spanning package-registry abuse, dependency tampering, build or pipeline compromise, in-memory loaders, command-and-control establishment, and final objectives such as data exfiltration or persistence (Tan et al., 17 Mar 2026). In tool-augmented agent systems, an exploit chain may be a tool sequence or an MCP task tuple whose composition yields a harmful environment change or emergent capability that violates the security boundaries of the participating services (Li et al., 30 Sep 2025, Noever, 27 Aug 2025).
| Domain | Formal chain object | Endpoint described in the literature |
|---|---|---|
| Code-reuse exploitation | System-call execution or arbitrary state transformation | |
| Hypervisor exploitation | Capability escalation such as arbitrary code execution | |
| Software supply chain | Multi-stage adversary action sequence | Data exfiltration or persistence |
| Agent and MCP systems | or | Harmful environment change or emergent capability |
A central distinction, emphasized in the supply-chain literature, is between an exploit chain and an individual exploit. Individual exploits are limited to isolated actions such as a malicious package dropper or a buffer-overflow exploit. Exploit chains require reconstructing causal linkage across heterogeneous environments, and their evidence is often fragmented across process lineage, network flows, build logs, or multi-turn tool traces (Tan et al., 17 Mar 2026). This suggests that the concept is best understood as a relational property over steps, states, and dependencies rather than as a property of any single vulnerability.
2. Formal semantics and low-level execution models
In code-reuse attacks, exploit chains are modeled as programs for a custom virtual machine induced by the target binary’s gadget set. A gadget is a short instruction sequence ending in a control-transfer instruction, and a gadget catalog records semantic description, virtual address, code, parameters, and side effects (Vishnyakov et al., 2020). Once cataloged, gadgets define an instruction set over machine states, with each gadget 0 carrying semantics 1. The chain semantics are then
2
making exploit construction a code-generation problem over an emergent architecture (Vishnyakov et al., 2020).
This virtual-machine perspective is made operational in automated chain assemblers. "MAJORCA: Multi-Architecture JOP and ROP Chain Assembler" constructs payloads by cataloging gadgets, classifying their semantics, arranging them in a DAG, scheduling them under register-conflict constraints, and linearizing them to ready-to-run payloads (Nurmukhametov et al., 2021). The exploited process is treated as a code-reuse VM whose program counter is the stack pointer, whose opcodes are gadget addresses, and whose state comprises registers and memory. MAJORCA additionally handles restricted symbols in gadget addresses and data by filtering gadgets and synthesizing clean addends through a byte-wise dynamic program. Its evaluation reports 90 successful Linux x86-64 chains in rop-benchmark, 124/139 successful cases on Debian 10, and 112 successful cases on a 32-bit MIPS Malta Debian suite; it also defines the chaining metric
3
to estimate OS-level resistance to ROP chaining (Nurmukhametov et al., 2021).
A complementary approach represents each gadget as register-rewrite equations. "A practical analysis of ROP attacks" transforms each x86_64 gadget into equations of the form 4, classifies gadgets as stateless or stateful depending on whether right-hand sides depend on existing register values, and then solves chain selection as a two-phase permutation problem (Bansal et al., 2021). The prototype succeeded on 35 statically linked GNU Coreutils 8.1 binaries under disabled ASLR, DEP, and shadow stacks, with generated chains consistently about 8–10 gadgets for repeated mprotect tests (Bansal et al., 2021).
Hypervisor exploitation generalizes low-level chaining beyond classic ROP/JOP. "Breaking Isolation: A New Perspective on Hypervisor Exploitation via Cross-Domain Attacks" models system memory as two disjoint regions,
5
with a translation 6 that allows host code to dereference pointers into guest memory (Pan et al., 3 Dec 2025). The attack primitive is overwriting a host-side pointer location 7 with an attacker-chosen value 8, then driving hypervisor logic to free, read, write, or call through 9. The paper defines four canonical Cross-Domain Attack variants: CDAᵃ for arbitrary code execution, CDAᶦ for information leakage, CDAᵒ for critical data overwrite, and CDAᶜ for chunk confusion. Its automated pipeline identifies cross-domain gadgets, matches them with corrupted pointers, synthesizes triggering inputs, and assembles complete exploit chains. Evaluation on 15 real-world vulnerabilities across QEMU and VirtualBox reports 772 cross-domain gadgets in QEMU, 200+ in VirtualBox, automated end-to-end exploits for 15 real CVEs, and 100% success on that set (Pan et al., 3 Dec 2025).
One common misconception is that exploit chains are synonymous with gadget chains. The literature does not support that restriction. Gadget chaining is one formalization, but the same compositional structure appears in cross-host privilege-escalation planning, guest-host pointer migration, software supply-chain reconstruction, and tool-enabled agent compromise.
3. Detection and monitoring of exploit-chain progression
Exploit-chain detection can be framed as online state tracking rather than whole-sequence classification. "ML-FEED: Machine Learning Framework for Efficient Exploit Detection" explicitly models its sequence monitor as a finite-state machine that advances in-flight exploit chains one API call at a time (Saha et al., 2023). The state space is
0
where each coordinate tracks position in one of 79 exploit-fingerprint patterns. For each API call feature vector 1, a multi-label classifier
2
predicts which exploit indices could be advanced; then a state table updates only those candidates whose cosine similarity to the next fingerprint token exceeds the threshold 3. An alarm is raised when a fingerprint reaches its final state (Saha et al., 2023).
The framework departs from traditional whole-trace classification by operating at finer granularity. Vulnerability fingerprints are built semi-automatically from the Common Weakness Enumeration and Common Vulnerabilities and Exposures databases. The offline extraction pipeline starts from a high-level fingerprint graph from CWE, derives a low-level vulnerability query from CVE patch or exploit write-ups, and then uses WALA’s Class-Hierarchy Analysis plus Andersen pointer analysis to mine matching API call sequences from inter-procedural SDGs. The resulting canonical prototypes are represented as 151-dimensional feature vectors combining FastText-based API-name embeddings, JVM bytecode-category one-hot encoding, analysis-scope one-hot encoding, package or class one-hot encoding, and frequency vectors for input and output types (Saha et al., 2023).
The evaluation uses 79 exploit categories, 226 207 malicious snippets, and 1 101 388 benign snippets from the Juliet Java suite, with an 85/15 train/test split at the snippet level. The ML-FEED classifier is a 151→150→100→79 fully connected network with sigmoid outputs. Compared with a lightweight LSTM baseline and a GPT-2 small transformer baseline, ML-FEED reports 98.2% precision, 97.4% recall, and 97.8% F1, while requiring 6.53 μs per API call and a 0.97 MB model. The paper states that this is 72.9× faster than the LSTM and 75 828.9× faster than the transformer, with 4.5× and 2 500.6× fewer parameters (Saha et al., 2023).
The significance of this design is methodological. By coupling a lightweight per-call classifier with a thresholded finite-state monitor, the system tracks the progress of potential exploit chains rather than merely labeling complete traces. This suggests a broader pattern: exploit-chain detection frequently benefits from explicit intermediate state, whether represented as FSM indices, graph paths, or temporal event graphs.
4. Automated discovery, planning, and assembly
Automated exploit-chain construction has been formulated as planning, search, and staged synthesis. "ALFA-Chains: AI-Supported Discovery of Privilege Escalation and Remote Exploit Chains" models a network as hosts 4, connectivity relation 5, product configurations 6, exploit set 7, and privilege levels 8 for None, Low, High, and Root (Tulla et al., 9 Apr 2025). A system state is an assignment 9, the initial state grants root only on the attacker machine, and the goal is any state with root on the target host. This is rendered as an attack graph with nodes 0 and edges corresponding to exploits whose preconditions and protocol reachability are satisfied (Tulla et al., 9 Apr 2025).
ALFA-Chains casts chain discovery as a PDDL planning problem. Each relevant exploit becomes a planner action with preconditions over compromise level, network connectivity, and exact product-version matches; planners such as Fast Downward with K*, LAMA, LAMA-first, or ENHSP then search for short plans under unit exploit cost. The system was tested on networks ranging from 3 to 200 hosts. It discovered the expected 3-step chain in a 3-host DMZ+LAN network in 0.008 s, returned 13 chains of average length 6.9 in a 20-host, six-subnet topology in 0.016 s, and found a single plan in 3.16 s for a 200-host variant. On a realistic firewalled lab, it rediscovered the known chain and 12 novel exploit chains, one of which was manually executed using Drupal, CouchDB, and a local BPF privilege-escalation module (Tulla et al., 9 Apr 2025).
"Automation-Exploit: A Multi-Agent LLM Framework for Adaptive Offensive Security with Digital Twin-Based Risk-Mitigated Exploitation" separates exploit chains into logical and binary classes (Andreucci et al., 24 Apr 2026). A logical chain is
1
where each 2 is a web or application-layer primitive such as SQL injection, CSRF, or misconfiguration. A binary chain is
3
where low-level primitives culminate in full control of the instruction pointer. The framework decomposes work among narrowly prompted agents such as Recon Hunter, Objective Setter, Accumulator, Drafter, Fixer, Navigator, Sim Engineers, Sanitizer, and Reviewer. For high-risk memory-corruption flaws, execution moves into a containerized Digital Twin only if the target binary has been exfiltrated; acceptance of the twin requires a Behavioral Mirror Test over a probe set 4 and strict state synchronization including exact libc alignment, file descriptor hooking via LD_PRELOAD + dup2, and network topology mirroring (Andreucci et al., 24 Apr 2026).
Its reported metrics include the Global Efficiency Ratio
5
Time-to-Compromise 6, False-Positive Rate at Stage 1, and Action Executability Rate (Andreucci et al., 24 Apr 2026). Across eight scenarios, GER ranged from 22.22% to 99.85%, TTC from 91.4 to 171.0 minutes, and Digital Twin instantiation accounted for 2.9% of TTC. Table 17 reports 9 DoS conditions intercepted in the Custom Linux ROP scenario and 5 in the Custom Windows UAF scenario; all Stage 1 false positives were eliminated by the Stage 2 Reviewer, with zero incorrect compromises reported (Andreucci et al., 24 Apr 2026).
Taken together, these systems show three distinct automation styles. Planning-based systems reason over explicit host states and exploit preconditions. Binary-chain assemblers reason over symbolic machine state and gadget semantics. Multi-agent orchestration systems interleave reconnaissance, code drafting, validation, and risk mitigation. The shared structure is staged composition under constraints.
5. Tool-composition and agentic exploit chains
In LLM agents, exploit chains increasingly arise from cross-tool composition rather than from a single unsafe output. "STAC: When Innocent Tools Form Dangerous Chains to Jailbreak LLM Agents" formalizes Sequential Tool Attack Chaining with a finite tool sequence 7 and composite execution
8
where each intermediate step is considered harmless by policy while the final effect triggers harm (Li et al., 30 Sep 2025). Formally,
9
with 0 (Li et al., 30 Sep 2025). The paper’s closed-loop framework comprises Generator, Verifier, Prompt Writer, Planner, and Judge. On 483 STAC cases, 1,352 user-agent-environment interactions, and four SHADE-Arena domains plus 62 Agent-SafetyBench environments, agents including GPT-4.1, Qwen3-32B, and Llama-3.1-405B showed attack success rates above 90% by turn 1, while Prompt Harmlessness stayed below 1% and Refusal Rate below 2% (Li et al., 30 Sep 2025).
The same compositional vulnerability appears in MCP-based agent systems. "Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills" defines an exploit chain of length 2 as an ordered tuple
3
whose composition yields an emergent capability such as data exfiltration, market manipulation, or infrastructure compromise (Noever, 27 Aug 2025). The paper emphasizes attack-surface growth:
4
For the MCP-Universe benchmark with 5, pairwise combinations already reach approximately 36 585, while the total number of nontrivial chains grows as approximately 6 (Noever, 27 Aug 2025). Red-team examples include a surveillance chain combining location history, browser automation, and search; a financial manipulation chain combining yfinance, browser automation, location, and GitHub; and an infrastructure-compromise chain spanning search, browser automation, GitHub, location, financial analysis, and 3D modeling (Noever, 27 Aug 2025).
"ChainFuzzer: Greybox Fuzzing for Workflow-Level Multi-Tool Vulnerabilities in LLM Agents" turns this observation into a discovery pipeline (Wu et al., 13 Mar 2026). The agent workflow is modeled as a graph 7 of tools and data dependencies, including both direct dependencies and indirect persistence-based edges. Candidate chains are extracted backward from high-impact sink tools under strict intra-tool dataflow evidence; Trace-guided Prompt Solving then edits prompts until the agent executes the target chain reliably in five consecutive runs; guardrail-aware fuzzing finally mutates payloads to trigger sinks such as CMDi, CODEi, SSRF, SQLi, and SSTI (Wu et al., 13 Mar 2026). On 20 open-source agent apps comprising 998 tools, the system extracted 2,388 candidate tool chains, synthesized 2,213 stable prompts, and confirmed 365 unique reproducible vulnerabilities across 19/20 apps, of which 302 required multi-tool execution. Reported component metrics include 96.49% edge precision, 91.50% strict chain precision, TPS reachability improvement from 27.05% to 95.45%, and payload trigger-rate improvement from 18.20% to 88.60%, yielding 3.02 vulnerabilities per 1M tokens (Wu et al., 13 Mar 2026).
A recurring controversy concerns defenses based on isolated prompt checks. The STAC results are explicit that prompt-based defenses provide limited protection and that stronger protection requires reasoning over the complete conversation history and the complete action sequence (Li et al., 30 Sep 2025). The MCP and ChainFuzzer results are consistent with that conclusion: per-tool authorization and per-step harmlessness do not reliably bound the risk of the composed workflow.
6. Supply-chain observability, reconstruction, and prediction
In software supply chains, the exploit-chain problem is both evidentiary and predictive. "SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Chain Attacks" states that advanced supply-chain attacks are increasingly runtime-only and leave fragmented evidence across hosts, services, and build or dependency layers, so no single telemetry stream is inherently sufficient to reconstruct full compromise chains under realistic access and budget limits (Tan et al., 17 Mar 2026). The testbed covers seven representative scenarios across PyPI, npm, and a native C/C++ case, on Windows and Linux, with four hosts and one containerized environment. Ground truth spans 14 MITRE ATT&CK tactics and 161 techniques, and the corpus contains approximately 0.58M raw multi-source events and 1.50M evaluation rows (Tan et al., 17 Mar 2026).
Its observability and reconstruction metrics are defined per scenario using the number of expected coarse steps 8, tagged steps 9, and covered steps 0 under telemetry configuration 1, yielding
2
Weighted aggregation is computed across scenarios by weighting each scenario by 3 (Tan et al., 17 Mar 2026). The key empirical result is that the best single source reaches only 0.391 weighted tag/step coverage and 0.403 mean chain reconstruction, while the best two-source pair reaches 0.636 weighted tag coverage, 0.545 weighted chain coverage, and 0.639 mean reconstruction, approximately a 1.6× gain over the best single stream (Tan et al., 17 Mar 2026). Host lineage and audit streams anchor INSTALL, EXEC, and DOWNLOAD steps; network and service logs anchor OUTBOUND_CONN and EXFIL; system and authentication logs fill persistence gaps and repair missing provenance through join keys such as process ID, host or user identity, and network endpoints (Tan et al., 17 Mar 2026).
Prediction-oriented work treats exploit chains as structured dependencies over SBOMs rather than as flat CVE lists. "Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs" converts vulnerability-enriched CycloneDX SBOMs into heterogeneous graphs
4
with node types for components, CVEs, and schema-supported CWE nodes, and relation types such as DEPENDS_ON and HAS_VULNERABILITY (Baird et al., 4 Apr 2026). A two-layer Heterogeneous Graph Attention Network with 5 heads, hidden dimension 64, and dropout 0.2 is used as a feasibility check for component vulnerability classification. On 200 real-world SBOMs from the Wild SBOMs public dataset, the HGAT achieves 91.03% Accuracy and 74.02% F1-score; when dependency edges are masked at inference, Recall collapses to 0 and F1 to 0, which the paper interprets as evidence that dependency relations carry the critical signal beyond local node features (Baird et al., 4 Apr 2026).
The same work frames chain discovery as CVE-pair link prediction. Candidate pairs are encoded by a 22-dimensional feature vector and scored by a 22→64→32→16→1 MLP trained on 35 documented chains with a 2:1 negative-to-positive sampling ratio. The reported held-out ROC-AUC is 0.93 (Baird et al., 4 Apr 2026). This does not yet reconstruct full chains, but it establishes a co-exploitation prior that can rank candidate cascades grounded in SBOM structure and known vulnerability metadata.
These results correct another common simplification: treating scanner findings as independent per-CVE records. The supply-chain literature instead argues that exploitability is often dependency-constrained, telemetry-constrained, and chain-level. A plausible implication is that future defensive pipelines will need to integrate chain reconstruction, cross-source correlation, and dependency-aware prediction rather than optimize only for isolated alerting.