Crims Claim Hexstrike Ai Penetration Tool Makes Quick Work Of Citrix Bugs
Attackers on underground forums claimed they were using HexStrike AI, an open-source red-teaming tool, against Citrix NetScaler vulnerabilities within hours of disclosure, according to Check Point cybersecurity evangelist Amit Weigman.
The AI tool, and its near-instantaneous adoption by cybercriminals, signal “the window between disclosure and mass exploitation shrinks dramatically,” Weigman wrote in a Tuesday blog.
CVE-2025-7775, a critical, pre-auth remote code execution bug, was abused as a zero-day to drop webshells and backdoor appliances before Citrix issued a patch.
“And with HexStrike AI, the volume of attacks will only increase in the coming days,” Weigman warned.
HexStrike AI is an AI-powered penetration testing framework developed by security researcher Muhammad Osama and released on GitHub several weeks ago. The offensive security utility integrates with more than 150 security tools to perform network reconnaissance and scanning, web application security testing, reverse engineering and a slew of other tasks.
It also connects to more than a dozen AI agents to scan for vulnerabilities, automate exploit development, and discover new attack chains.
The GitHub repository warns that HexStrike AI shouldn’t be used for unauthorized system testing, illegal or harmful activities, or data theft. However, shortly after its release, criminals — as they are wont to do with any type of legitimate pen-testing tool — began discussing HexStrike AI in the context of the Citrix security holes, according to Check Point.
“Exploiting these vulnerabilities is non-trivial,” Weigman wrote. “Attackers must understand memory operations, authentication bypasses, and the peculiarities of NetScaler’s architecture. Such work has historically required highly skilled operators and weeks of development.”
Like other security frameworks, it can be misused, but it does not include pre-built zero-day exploits
However, dark-web posts shared by the company suggest that, within 12 hours of disclosure, attackers claimed to be using HexStrike AI to generate exploit code and scan for vulnerable NetScaler instances.
While Check Point security architect manager Aaron Rose told The Register that the security shop doesn’t have proof “at this time,” that miscreants actually used the AI tool to orchestrate attacks, “we have compelling early signals from attacker communities that the tool is being pointed at NetScaler zero-days, which makes it highly likely we’ll see confirmed exploitation soon.”
“HexStrike AI is a turning point because it collapses the barrier to entry for complex exploits,” Rose said. “Attacks that once required highly skilled operators and days of manual effort can now be orchestrated by AI in minutes, giving adversaries speed and scale defenders have never faced before.”
When asked about HexStrike AI being co-opted by attackers, and if he regrets releasing it publicly, Osama told The Register that it’s intended to help defenders stay ahead of the criminals and not the other way around.
“HexStrike AI was built as a defender-first framework to accelerate penetration testing and resilience assessments by combining LLM-driven orchestration with hundreds of security tools,” he said via email, in response to questions.
“The aim is to help defenders uncover vulnerabilities before attackers do, using AI to simulate diverse attack paths and perspectives at machine speed,” Osama said. “Like other security frameworks, it can be misused, but it does not include pre-built zero-day exploits. It automates workflows, and others may insert their own logic. I have also withheld release of the RAG-based version, which can dynamically integrate CVE intelligence and adjust testing in real time, to carefully balance empowering defenders with limiting abuse.”
RAG, or Retrieval-Augmented Generation, is an AI framework that combines LLMs with an information retrieval system, essentially supercharging the models’ responses.
The mission of HexStrike, he added, is to give defenders the same “adaptive automation” capabilities that adversaries are already using.
“HexStrike was created to strengthen defense and prepare the community for a future where AI-driven orchestration and autonomous agents will shape both attack and defense,” Osama said. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
