Hackers are more and more utilizing a brand new AI-powered offensive safety framework referred to as HexStrike-AI in actual assaults to use newly disclosed n-day flaws.
This exercise is reported by CheckPoint Analysis, which noticed important chatter on the darkish net round HexStrike-AI, related to the speedy weaponization of newly disclosed Citrix vulnerabilities, together with CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424.
In keeping with ShadowServer Basis’s information, practically 8,000 endpoints stay susceptible to CVE-2025-7775 as of September 2, 2025, down from 28,000 the earlier week.
Energy within the flawed fingers
HexStrike-AI is a official crimson teaming software created by cybersecurity researcher Muhammad Osama, which permits the combination of AI brokers to autonomously run over 150 cybersecurity instruments for automated penetration testing and vulnerability discovery.
“HexStrike AI operates with human-in-the-loop interplay by exterior LLMs by way of MCP, making a steady cycle of prompts, evaluation, execution, and suggestions,” reads its creator’s description.
HexStrike-AI’s shopper contains a retry logic and restoration dealing with to mitigate the results of failures in any particular person step on its complicated operations. As an alternative, it mechanically retries or adjusts its configuration till the operation completes efficiently.
The software has been open-source and obtainable on GitHub for the final month, the place it has already garnered 1,800 stars and over 400 forks.
Sadly, it has additionally attracted the eye of hackers who’ve begun to make use of it of their assaults.
In keeping with CheckPoint, hackers began discussing the software on hacking boards, the place they mentioned how one can deploy HexStrike-AI to use the talked about Citrix NetScaler ADC and Gateway zero-day vulnerabilities inside hours of their disclosure.
Supply: CheckPoint
Risk actors reportedly used it to realize unauthenticated distant code execution by CVE-2025-7775 after which drop webshells on compromised home equipment, with some providing compromised NetScaler situations on the market.
CheckPoint believes it is seemingly the attackers used the brand new pentesting framework to automate their exploitation chain, scanning for susceptible situations, crafting exploits, delivering payloads, and sustaining persistence.
Supply: CheckPoint
Though the precise involvement of HexStrike-AI in these assaults hasn’t been confirmed, such a degree of automation may cut back the n-day flaw exploitation instances from a number of days down to some minutes.
Such a growth would depart system directors with an already small patching window and even much less time earlier than assaults start.
“The window between disclosure and mass exploitation shrinks dramatically.” commented Test Level on a not too long ago disclosed Citrix flaw.
“CVE-2025-7775 is already being exploited within the wild, and with Hexstrike-AI, the quantity of assaults will solely improve within the coming days.”
Though speedy patching stays essential, this paradigm shift introduced by AI-powered assault frameworks makes it much more vital to take care of a powerful, holistic safety stance.
Test Level recommends defenders deal with early warning by menace intelligence, AI-driven defenses, and adaptive detection.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
