Crooks Turn HexStrike AI into a Weapon for Fresh Vulnerabilities
Threat actors have abused the new HexStrike AI tool, designed for red teaming and bug bounties, to exploit fresh vulnerabilities. Check Point researchers warned that crooks are using AI-based offensive security tool HexStrike AI to quickly exploit recently disclosed security flaws.
HexStrike AI combines professional security tools with autonomous AI agents to deliver comprehensive security testing capabilities. It uses MCP Agents to connect LLMs (Large Language Models) with real offensive tools, orchestrating over 150 security utilities. This orchestration brain adapts in real-time, automating complex attack workflows.
The tool acts as a conductor, turning vague commands into precise steps for penetration testing, exploitation, and data exfiltration. Malicious actors quickly attempted to weaponize HexStrike AI, discussing its use to exploit Citrix NetScaler zero-days, turning a defensive tool into an attack engine.
Dark Web Posts Reveal Threat Actors' Plans
"Within hours of its release, dark web chatter shows threat actors attempting to use HexStrike-AI to go after recent zero-day CVEs," reads the report published by Check Point. "Attackers dropped webshells for unauthenticated remote code execution."
These vulnerabilities are complex and require advanced skills to exploit. With HexStrike AI, threat actors claim to reduce the exploitation time from days to under 10 minutes.
The Convergence of AI Orchestration and Offensive Tooling
"But almost immediately after release, malicious actors began discussing how to weaponize it. Within hours, certain underground channels discussed application of the framework to exploit the Citrix NetScaler ADC and Gateway zero-day vulnerabilities disclosed last Tuesday (08/26)," continues the report.
This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks.
The Impact of Dual-Use AI Tools
The use of "dual-use" AI tools shrinks the gap between disclosure and mass exploitation. Automating parallel attacks and reducing human effort increases the efficiency of threat actors' operations.
On August 26, Citrix disclosed three zero-days in NetScaler ADC/Gateway: CVE-2025-7775 (RCE, already exploited), CVE-2025-7776 (memory flaw, high-risk), and CVE-2025-8424 (access control weakness). Exploitation was once complex, but Hexstrike-AI now automates scanning, exploit crafting, and payload delivery.
Within 12 hours, threat actors discussed its use, even selling vulnerable instances. Attacks that took weeks can launch in minutes, at scale, with retries boosting success—shrinking disclosure-to-exploitation time.
A Watershed Moment
"Hexstrike-AI is a watershed moment," concludes the report. "What was once a conceptual architecture – a central orchestration brain directing AI agents – has now been embodied in a working tool. And it is already being applied against active zero days."
The security community has been warning about the convergence of AI orchestration and offensive tooling, and Hexstrike-AI proves those warnings weren't theoretical. What seemed like an emerging possibility is now an operational reality, and attackers are wasting no time putting it to use.
Stay Informed
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.