Artificial Intelligence & Machine Learning,
Next-Generation Technologies & Secure Development,
The Future of AI & Cybersecurity
HexStrike-AI Integrates LLMs with Over 150 Security Tools
In a troubling development, hackers have swiftly adopted an open-source offensive security framework to exploit vulnerabilities in Citrix NetScaler, just hours after these vulnerabilities were made public, according to findings from Check Point researchers.
Developed by cybersecurity expert Muhammad Osama, the HexStrike-AI framework facilitates automated penetration testing by connecting large language models (LLMs) to over 150 existing security tools. This integration allows for sequential operations with mechanisms for retry logic and error recovery.
The framework operates based on a “human-in-the-loop” model that utilizes external LLMs via the model context protocol. This process fosters a continuous cycle of prompting, analyzing, executing, and providing feedback. Since its public release on GitHub, the project has gained substantial traction, amassing over 1,800 stars and more than 400 forks within its first month.
Check Point indicated that discussions surrounding HexStrike-AI are proliferating across underground forums, where hackers are sharing knowledge on how to deploy it against three recently disclosed Citrix NetScaler vulnerabilities: CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Among these, CVE-2025-7775 has been classified as a critical vulnerability that permits unauthenticated remote code execution.
Initial assessments by the ShadowServer Foundation revealed that approximately 28,000 internet-facing endpoints were vulnerable to CVE-2025-7775. This number decreased to around 8,000 by September 2, 2025, suggesting containment efforts by numerous organizations while still highlighting significant vulnerability among others.
Utilizing HexStrike-AI, attackers have reportedly automated the processes of discovering and exploiting susceptible systems. Comments on dark web forums detail strategies for scanning vulnerable NetScaler instances, generating exploit payloads, and establishing web shells for persistent access, with some even advertising compromised Citrix devices for sale.
While exploiting such vulnerabilities typically takes considerable time, Check Point noted that HexStrike-AI has reduced this to mere minutes, significantly minimizing the window from disclosure to mass exploitation. This rapid capability amplifies the threat landscape, as evidenced by ongoing exploitation of CVE-2025-7775.
Attribution of specific attacks to the HexStrike-AI framework remains challenging. Although capable of orchestrating essential steps such as scanning, exploitation, and payload delivery, direct forensic evidence linking this tool to individual incidents is limited.
The dual-use nature of frameworks like HexStrike-AI is not unprecedented. Similar to previous red-team tools such as Cobalt Strike and Metasploit, which have been both utilized for legitimate security purposes and exploited by malicious actors, the integration of AI in HexStrike-AI enables rapid flows of attack strategies. Unlike manual operations, HexStrike-AI allows continuous management through language models, enhancing recovery from errors and ensuring persistence in the attack vector.
The rollout of HexStrike-AI coincided with Citrix’s release of patches addressing the three NetScaler vulnerabilities. Legacy versions of NetScaler remain particularly exposed, as they no longer receive updates or fixes.
For organizations, the most effective defense continues to be timely patching. However, the rapidly shrinking gap between vulnerability disclosure and exploitation underscores the critical need for early detection and intelligence gathering strategies. Check Point emphasizes that “AI-driven defenses” and “adaptive detection” are becoming essential to counteract increasing AI-enabled threats.
