Cybercriminals are increasingly leveraging HexStrike-AI, a legitimate open-source penetration testing framework, to rapidly exploit newly disclosed n-day vulnerabilities within hours of their public disclosure, according to research from CheckPoint. The AI-powered offensive security tool, created by cybersecurity researcher Muhammad Osama, integrates artificial intelligence agents to autonomously operate over 150 cybersecurity tools for automated vulnerability discovery and exploitation, but has been co-opted by threat actors to dramatically reduce the time between vulnerability disclosure and active exploitation.
CheckPoint researchers observed significant dark web chatter surrounding HexStrike-AI’s use in exploiting recently disclosed Citrix NetScaler vulnerabilities, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, with attackers discussing deployment strategies within hours of the vulnerabilities’ public disclosure. The tool’s sophisticated automation capabilities enable threat actors to scan for vulnerable instances, craft exploits, deliver payloads, and maintain persistence with minimal human intervention, effectively reducing n-day exploitation timeframes from several days to mere minutes. Attackers have reportedly used the framework to achieve unauthenticated remote code execution through CVE-2025-7775 and subsequently deploy webshells on compromised appliances, with some criminal groups offering compromised NetScaler instances for sale on underground markets.
The weaponisation of HexStrike-AI represents a paradigm shift in the threat landscape, where legitimate red teaming tools designed for defensive security testing become force multipliers for malicious actors. The open-source framework, available on GitHub where it has garnered 1,800 stars and over 400 forks in just one month, operates with human-in-the-loop interaction through external large language models and includes retry logic and recovery handling to ensure successful operation completion even when individual steps fail. ShadowServer Foundation data shows nearly 8,000 endpoints remained vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week, highlighting both the ongoing exposure and the accelerated exploitation timeline. This development significantly compresses the already narrow patching window available to system administrators, with CheckPoint warning that the dramatic reduction in time between disclosure and mass exploitation necessitates stronger holistic security approaches including early threat intelligence warnings, AI-driven defenses, and adaptive detection capabilities.