New AI-powered HexStrike tool is being used to target multiple Citrix security flaws

News
By published

Hackers up the ante with vulnerability abuse automation

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • A legitimate red teaming tool called HexStrike-AI is drawing the attention of the wrong crowd
  • Researchers are seeing "chatter" about the tool being leveraged to exploit known Citrix flaws
  • The patching window for system administrators keeps shrinking

Cybercriminals are using a legitimate red teaming tool to automate the exploitation of n-day vulnerabilities, reducing the time businesses have to fix flaws from days to literal minutes.

Security experts at Check Point Research said they observed “chatter” around the dark web of a tool called HexStrike-AI, an open source offensive security framework that connects large language models such as GPT, Claude, and Copilot with cybersecurity tools through the Model Context Protocol. It provides access to more than 150 tools for penetration testing, bug bounty automation, and vulnerability research, using multiple AI agents to manage workflows, analyze data, and run scanning, exploitation, or reporting tasks.

It is powered by an “Intelligent Decision Engine” that selects and executes tools based on the target environment, and supports network analysis, web application testing, cloud security checks, reverse engineering, and OSINT.

Citrix in the spotlight

Check Point Research says that hackers are sharing information on how to deploy HexStrike-AI to take advantage of CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, three vulnerabilities recently discovered in Citrix NetScaler ADC and Gateway instances.

The tool allegedly helped them achieve unauthenticated remote code execution which, in turn, allowed them to drop webshells and maintain persistence.

While this chatter isn’t evidence enough of abuse, if confirmed, the news would mean the exploitation time can be cut down from several days to a few minutes, leaving system administrators with an already small patching window, and even less time before attacks begin.

"CVE-2025-7775 is already being exploited in the wild, and with Hexstrike-AI, the volume of attacks will only increase in the coming days,” CPR warned.

With this level of automation, keeping software updated without a patch management platform will probably be impossible.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.