AI-Powered HexStrike Tool Exploited to Target Citrix Vulnerabilities
Key Points
- HexStrike‑AI links large language models like GPT, Claude and Copilot to over 150 security tools.
- The framework automates penetration‑testing workflows using AI agents and an Intelligent Decision Engine.
- Check Point Research observed dark‑web chatter about using HexStrike‑AI to exploit Citrix NetScaler ADC and Gateway vulnerabilities CVE‑2025‑7775, CVE‑2025‑7776 and CVE‑2025‑8424.
- The tool enables unauthenticated remote code execution, web‑shell deployment and persistence.
- Automation could reduce exploitation time from days to minutes, shrinking the patching window for administrators.
- Organizations are urged to apply patches promptly and consider additional monitoring for AI‑driven attack activity.
Security researchers have observed that the open‑source red‑team framework HexStrike‑AI, which links large language models such as GPT, Claude and Copilot to over 150 penetration‑testing utilities, is being leveraged by cybercriminals to exploit newly disclosed Citrix NetScaler ADC and Gateway flaws. Check Point Research reported chatter on the dark web detailing how the tool automates unauthenticated remote code execution against CVE‑2025‑7775, CVE‑2025‑7776 and CVE‑2025‑8424, potentially shrinking the window for patching and increasing the speed of attacks.
Overview of HexStrike‑AI
HexStrike‑AI is an open‑source offensive security framework that connects large language models—including GPT, Claude and Copilot—to a broad suite of cybersecurity tools via the Model Context Protocol. The platform claims to provide access to more than 150 utilities for penetration testing, bug bounty automation and vulnerability research. It employs multiple AI agents to orchestrate workflows, analyze data and execute scanning, exploitation or reporting tasks, all driven by an "Intelligent Decision Engine" that selects tools based on the target environment.
Capabilities and Intended Use
Designed as a legitimate red‑team tool, HexStrike‑AI supports a range of security activities such as network analysis, web‑application testing, cloud‑security assessments, reverse engineering and open‑source intelligence (OSINT). Its AI‑driven decision engine automates the selection and execution of appropriate tools, aiming to streamline complex security engagements and reduce manual effort for security professionals.
Observed Abuse Targeting Citrix Flaws
Check Point Research uncovered chatter on dark‑web forums describing how threat actors are repurposing HexStrike‑AI to exploit three newly disclosed vulnerabilities in Citrix NetScaler ADC and Gateway—identified as CVE‑2025‑7775, CVE‑2025‑7776 and CVE‑2025‑8424. According to the reports, the tool enables unauthenticated remote code execution, allowing attackers to drop web shells and maintain persistence on compromised systems.
While the chatter does not constitute definitive proof of widespread abuse, the researchers warned that the automation provided by HexStrike‑AI could compress the exploitation timeline from several days to a matter of minutes. This acceleration threatens to outpace traditional patch‑management processes, leaving administrators with an already limited window to remediate the flaws.
Implications for Organizations
The potential for rapid, automated exploitation underscores the urgency for organizations running Citrix NetScaler ADC or Gateway to prioritize patching of the identified CVEs. Security teams may also need to consider additional detection mechanisms to identify anomalous activity associated with AI‑driven attack tools. The emergence of legitimate security frameworks being co‑opted for malicious purposes highlights a broader challenge in balancing innovation with risk management in the cybersecurity landscape.