Researchers at Check Point have warned that cybercriminals are attempting to leverage HexStrike AI to automate attacks against recently disclosed Citrix NetScaler flaws, with underground forum posts describing active use. The developments highlight how quickly cybercriminals are adapting emerging platforms for large-scale attacks.
Promoted as AI-driven resources for red teams or bug bounty researchers, the open-source platform combines more than 150 penetration testing utilities. At its core, an orchestration layer links large language models with these utilities, enabling broad instructions to be converted into tailored exploitation sequences that can operate independently. Although much of HexStrike-AI’s process is automated, its framework often incorporates human oversight to verify findings and supervise high-impact actions, reflecting the current balance in cutting-edge AI attack tools.
Citrix Flaws Targeted
Soon after HexStrike AI was released, underground forums reported a surge in its use to target three Citrix flaws disclosed on August 26.
- CVE-2025-7775 – Unauthenticated remote code execution (already exploited in the wild).
- CVE-2025-7776 – Memory-handling flaw (high-risk, unconfirmed exploitation).
- CVE-2025-8424 – Access control weakness (critical exposure, unconfirmed exploitation).
CVE-2025-7775 has been confirmed to have been exploited in the wild; the exploitation of CVE-2025-7776 and CVE-2025-8424 remains unconfirmed. According to threat actors, the framework slashes exploitation efforts from days to under ten minutes, and some groups have begun monetizing activity by advertising vulnerable or compromised NetScaler appliances. Although threat actors have publicly discussed using HexStrike-AI for exploitation, direct forensic evidence of its use in live attacks is still emerging. External scans indicate thousands of NetScaler instances remained exposed to CVE-2025-7775 in the days following disclosure.
Escalating Risks
According to Check Point, HexStrike AI can automate the primary phases of an intrusion, from reconnaissance and exploit crafting to persistence, including scanning for exposed devices, generating and delivering custom payloads such as webshells, and establishing long-term access on compromised systems. The framework also enables parallel exploitation, allowing adversaries to scan and strike thousands of targets simultaneously.
As a result, this automation lowers the barrier for exploiting complex vulnerabilities, allowing rapid, large-scale attacks previously achievable only by skilled experts.
Check Point advised enterprises to deploy adaptive detection that keeps pace with shifting attack techniques, strengthen defenses with AI-driven platforms to blunt automated exploitation, and speed up patching through automated validation and rollout. It also stressed resilience measures, such as network segmentation, recovery planning, and treating compromise as an expected condition, as essential to a durable security strategy.
Big-Picture Takeaway
While recent attacks have centered on Citrix NetScaler appliances, HexStrike-AI’s architecture enables rapid adaptation to newly disclosed vulnerabilities, potentially accelerating exploitation across multiple product lines. This shift marks a broader transformation in cyber operations, illustrating how dual-use AI frameworks have moved from theoretical concepts to active exploitation. The effect is a shrinking window between disclosure and exploitation, pushing defenders to match this pace through automation, rapid response, and resilience by design.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
