Cybercriminals are increasingly turning to HexStrike-AI, an open-source artificial intelligence framework originally built for ethical red teaming, to rapidly exploit critical vulnerabilities in Citrix’s NetScaler products. Within hours of their disclosure, attackers have reportedly deployed HexStrike-AI to scan for weaknesses and execute remote attacks—shrinking the traditional patching window from days to mere minutes.
Discovered by Check Point Research, HexStrike-AI combines advanced large language models such as GPT and Claude with over 150 cybersecurity tools. Its architecture includes a powerful “Intelligent Decision Engine” that dynamically selects and deploys the most effective tools based on the target environment—automating tasks from scanning and exploitation to data analysis.
The framework has been linked to attempts at exploiting three recently disclosed Citrix vulnerabilities—CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424—that enable unauthenticated remote code execution. Attackers have allegedly used it to deploy webshells, establishing persistent access in just minutes. While confirmation of active use is still pending, the speed and scale enabled by HexStrike-AI marks a dangerous escalation in cyberweaponry.
Check Point warns that the rise of such AI-automated attack frameworks demands immediate action from defenders. Traditional defense strategies—manual patching, signature-based detection—are no longer sufficient against threats that can launch full-scale exploits in near real-time
