Hackers Use New HexStrike-AI Tool to Rapidly Exploit n-Day Flaws
In a disturbing trend, hackers are increasingly leveraging a new AI-powered offensive security framework called HexStrike-AI to rapidly exploit newly disclosed vulnerabilities in the wild. This development has been reported by CheckPoint Research, which has observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of Citrix vulnerabilities.
The most notable vulnerability being CVE-2025-7775, which is still affecting nearly 8,000 endpoints as of September 2, 2025, down from 28,000 just a week ago. According to ShadowServer Foundation's data, this vulnerability continues to pose a significant threat to system administrators worldwide.
About HexStrike-AI
HexStrike-AI is a legitimate red teaming tool created by cybersecurity researcher Muhammad Osama. This AI-powered framework enables the integration of over 150 cybersecurity tools for automated penetration testing and vulnerability discovery. According to its creator, "HexStrike AI operates with human-in-the-loop interaction through external LLMs via MCP, creating a continuous cycle of prompts, analysis, execution, and feedback."
The tool's client features include retry logic and recovery handling to mitigate the effects of failures in any individual step on its complex operations. Instead, it automatically retries or adjusts its configuration until the operation completes successfully.
Open-Source but Attracting Malicious Attention
HexStrike-AI has been open-sourced and available on GitHub for the last month, where it has already garnered significant attention with 1,800 stars and over 400 forks. However, this newfound popularity has also attracted malicious actors who have begun to use the tool in their attacks.
Threat Actors' Tactics
According to CheckPoint, hackers started discussing the tool on hacking forums, where they discussed how to deploy HexStrike-AI to exploit the mentioned Citrix NetScaler ADC and Gateway zero-day vulnerabilities within hours of their disclosure. Threat actors reportedly used it to achieve unauthenticated remote code execution through CVE-2025-7775 and then drop webshells on compromised appliances.
Some threat actors even offered compromised NetScaler instances for sale, indicating a level of automation in their exploitation chain. CheckPoint believes it's likely that the attackers used HexStrike-AI to automate their exploitation chain, scanning for vulnerable instances, crafting exploits, delivering payloads, and maintaining persistence.
A Dramatic Shift in n-Day Flaw Exploitation
Although the actual involvement of HexStrike-AI in these attacks hasn't been confirmed, such a level of automation could reduce the n-day flaw exploitation times from several days down to just a few minutes. This development would leave system administrators with an already small patching window and even less time before attacks begin.
"The window between disclosure and mass exploitation shrinks dramatically," said Check Point on a recently disclosed Citrix flaw. "CVE-2025-7775 is already being exploited in the wild, and with Hexstrike-AI, the volume of attacks will only increase in the coming days."
A Call to Action
In light of this paradigm shift brought by AI-powered attack frameworks, it's more important than ever for security professionals to maintain a strong, holistic security stance. Check Point recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.
"Password cracking is a significant concern, with 46% of environments having passwords cracked, nearly doubling from 25% last year," said Check Point. "We urge everyone to take action and stay vigilant in the face of this ever-evolving threat landscape."