Hackers Use AI Tool HexStrike AI to Exploit Fresh Vulnerabilities
Analysts at Check Point have warned that threat actors are leveraging a new AI framework called HexStrike AI—originally designed for offensive cybersecurity—to exploit fresh n-day vulnerabilities in real-world attacks.
Activity on the Darknet
Researchers observed discussions related to HexStrike AI on darknet forums, where hackers described using the tool to rapidly exploit vulnerabilities in Citrix products, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424.
According to the ShadowServer Foundation, as of September 2, 2025, nearly 8,000 endpoints remained exposed to CVE-2025-7775. Just one week earlier, the number of vulnerable systems exceeded 28,000.
A Legitimate Tool Misused
HexStrike AI is a legitimate open-source red team framework created by independent researcher Muhammad Osama. The project allows the integration of AI agents to autonomously run more than 150 security tools, automating penetration testing and vulnerability discovery.
“HexStrike AI operates in a mode of interaction with the operator through external LLMs via MCP, creating a continuous cycle of prompts, analysis, command execution, and feedback,” explains Osama.
The tool can retry failed attempts, recover from crashes, and automatically adjust settings until an operation succeeds—minimizing the risk of disruption from single errors.
Launched on GitHub about a month ago, the framework has already received 1,800 stars and more than 400 forks. Its documentation explicitly forbids use in unauthorized penetration testing, malicious activity, or data theft. Nevertheless, it has already caught the attention of cybercriminals.
From Discussion to Exploitation
Check Point experts note that discussions about using HexStrike AI to exploit Citrix NetScaler ADC and Gateway vulnerabilities appeared just 12 hours after disclosure.
Forum posts suggest that attackers successfully achieved unauthenticated remote code execution via CVE-2025-7775 using HexStrike AI, later deploying web shells on compromised devices. Some of those compromised NetScaler systems were reportedly offered for sale.
Researchers believe HexStrike AI is being used to automate the entire exploitation chain—identifying vulnerable systems, generating exploits, delivering payloads, and establishing persistence.
Although direct evidence of attacks beyond forum chatter is still lacking, experts stress that such automation reduces the time needed to weaponize n-day vulnerabilities from days to mere minutes.
“The window between disclosure and mass exploitation is shrinking rapidly,” warns Check Point. “CVE-2025-7775 is already being exploited in real-world attacks, and with HexStrike AI, the volume will only increase. Attacks that once required skilled operators and days of manual effort can now be orchestrated by AI in minutes, offering speed and scale defenders have not previously faced.”
Defensive Recommendations
Check Point advises organizations to prioritize:
- Early warning systems
- AI-powered protection measures
- Adaptive threat detection
The Creator’s Perspective
Osama emphasizes that HexStrike AI was built to empower defenders, not attackers.
“HexStrike AI was designed to accelerate pentesting and resilience assessments by combining LLM orchestration with hundreds of security tools. Its goal is to help defenders discover vulnerabilities before attackers do,” says Osama.
He notes that HexStrike AI does not include ready-made 0-day exploits but instead automates workflows that others can extend with their own logic. Osama also confirmed that he delayed the release of the RAG version—which would dynamically integrate CVE intelligence and adapt tests in real time—in order to limit potential abuse.
“The mission of HexStrike AI is to provide defenders with the same adaptive automation capabilities that hackers are beginning to exploit,” Osama concludes. “It is built to strengthen defenses and prepare the community for a future where AI orchestration and autonomous agents will shape both attacks and defense.”
