- A legitimate red teaming tool called HexStrike-AI is drawing the attention of the wrong crowd
- Researchers are seeing “chatter” about the tool being leveraged to exploit known Citrix flaws
- The patching window for system administrators keeps shrinking
Cybercriminals are using a legitimate red teaming tool to automate the exploitation of n-day vulnerabilities, reducing the time businesses have to fix flaws from days to literal minutes.
Security experts at Check Point Research said they observed “chatter” around the dark web of a tool called HexStrike-AI, an open source offensive security framework that connects large language models such as GPT, Claude, and Copilot with cybersecurity tools through the Model Context Protocol. It provides access to more than 150 tools for penetration testing, bug bounty automation, and vulnerability research, using multiple AI agents to manage workflows, analyze data, and run scanning, exploitation, or reporting tasks.
It is powered by an “Intelligent Decision Engine” that selects and executes tools based on the target environment, and supports network analysis, web application testing, cloud security checks, reverse engineering, and OSINT.
Citrix in the spotlight
Check Point Research says that hackers are sharing information on how to deploy HexStrike-AI to take advantage of CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, three vulnerabilities recently discovered in Citrix NetScaler ADC and Gateway instances.
The tool allegedly helped them achieve unauthenticated remote code execution which, in turn, allowed them to drop webshells and maintain persistence.
While this chatter isn’t evidence enough of abuse, if confirmed, the news would mean the exploitation time can be cut down from several days to a few minutes, leaving system administrators with an already small patching window, and even less time before attacks begin.
“CVE-2025-7775 is already being exploited in the wild, and with Hexstrike-AI, the volume of attacks will only increase in the coming days,” CPR warned.
With this level of automation, keeping software updated without a patch management platform will probably be impossible.
Via BleepingComputer
