Pierluigi Paganini
September 03, 2025
Check Point researchers warn that threat actors are abusing AI-based offensive security tool HexStrike AI to quickly exploit recently disclosed security flaws.
HexStrike AI combines professional security tools with autonomous AI agents to deliver comprehensive security testing capabilities.
HexStrike AI uses MCP Agents to connect LLMs with real offensive tools, orchestrating 150+ security utilities. It acts as a conductor, turning vague commands into precise steps for penetration testing, exploitation, and data exfiltration. This orchestration brain adapts in real time, automating complex attack workflows.
Malicious actors quickly attempted to weaponize HexStrike AI, discussing its use to exploit Citrix NetScaler zero-days, turning a defensive tool into an attack engine. Check Point researchers observed dark web posts discussing HexStrike AI, shortly after its release.
“Within hours of its release, dark web chatter shows threat actors attempting to use HexStrike-AI to go after a recent zero day CVEs, with attackers dropping webshells for unauthenticated remote code execution.” reads the report published by Check Point. “These vulnerabilities are complex and require advanced skills to exploit. With Hextrike-AI, threat actors claim to reduce the exploitation time from days to under 10 minutes.”
“But almost immediately after release, malicious actors began discussing how to weaponize it. Within hours, certain underground channels discussed application of the framework to exploit the Citrix NetScaler ADC and Gateway zero-day vulnerabilities disclosed last Tuesday (08/26).” continues the report.
“This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks.”
The use of “dual-use” AI tools shrink the gap between disclosure and mass exploitation, automates parallel attacks, and reduces human effort.
On August 26, Citrix disclosed 3 zero-days in NetScaler ADC/Gateway: CVE-2025-7775 (RCE, already exploited), CVE-2025-7776 (memory flaw, high-risk), CVE-2025-8424 (access control weakness). Exploitation was once complex, but Hexstrike-AI now automates scanning, exploit crafting, and payload delivery. Within 12h, threat actors discussed its use, even selling vulnerable instances. Attacks that took weeks can launch in minutes, at scale, with retries boosting success—shrinking disclosure-to-exploitation time.
“Hexstrike-AI is a watershed moment. What was once a conceptual architecture – a central orchestration brain directing AI agents – has now been embodied in a working tool. And it is already being applied against active zero days.” concludes the report. “The security community has been warning about the convergence of AI orchestration and offensive tooling, and Hexstrike-AI proves those warnings weren’t theoretical. What seemed like an emerging possibility is now an operational reality, and attackers are wasting no time putting it to use.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Security / September 23, 2025
