This paper studies how multimodal large language models (MLLMs) undermine the security guarantees of visual CAPTCHA. We identify the attack surface where an adversary can cheaply automate CAPTCHA solving using off-the-shelf models. We evaluate 7 leading commercial and open-source MLLMs across 18 real-world CAPTCHA task types, measuring single-shot accuracy, success under limited retries, end-to-end latency, and per-solve cost. We further analyze the impact of task-specific prompt engineering and few-shot demonstrations on solver effectiveness. We reveal that MLLMs can reliably solve recognition-oriented and low-interaction CAPTCHA tasks at human-like cost and latency, whereas tasks requiring fine-grained localization, multi-step spatial reasoning, or cross-frame consistency remain significantly harder for current models. By examining the reasoning traces of such MLLMs, we investigate the underlying mechanisms of why models succeed/fail on specific CAPTCHA puzzles and use these insights to derive defense-oriented guidelines for selecting and strengthening CAPTCHA tasks. We conclude by discussing implications for platform operators deploying CAPTCHA as part of their abuse-mitigation pipeline.Code Availability (https://anonymous.4open.science/r/Captcha-465E/).

翻译：本文研究多模态大语言模型（MLLMs）如何削弱视觉验证码（CAPTCHA）的安全保障。我们识别了攻击面，即攻击者可以利用现成模型低成本自动化破解验证码。我们评估了7个领先的商业和开源MLLMs在18种真实世界验证码任务类型上的表现，测量了单次尝试准确率、有限重试下的成功率、端到端延迟以及每次破解成本。我们进一步分析了任务特定提示工程和少量示例演示对求解器效果的影响。研究发现，MLLMs能够以类人成本和延迟可靠地解决面向识别和低交互性的验证码任务，而需要细粒度定位、多步空间推理或跨帧一致性的任务对当前模型而言仍然显著困难。通过检查此类MLLMs的推理轨迹，我们探究了模型在特定验证码谜题上成功或失败的内在机制，并利用这些洞见推导出面向防御的指南，用于选择和强化验证码任务。最后，我们讨论了平台运营商将验证码作为其滥用缓解流程一部分部署时的实际影响。代码可用性（https://anonymous.4open.science/r/Captcha-465E/）。