Overview

• Check Point reports threat actors discussing and attempting to use the HexStrike‑AI framework to target Citrix NetScaler vulnerabilities CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424 within days of disclosure.
• Darknet posts claim successful exploitation and offer access to compromised NetScaler appliances for sale, though direct attribution to HexStrike‑AI remains unconfirmed.
• ShadowServer data shows about 8,000 endpoints still vulnerable to CVE-2025-7775 as of September 2, down from roughly 28,000 the prior week.
• HexStrike‑AI is an open‑source red‑teaming framework by Muhammad Osama that orchestrates more than 150 tools with LLM‑driven agents, human‑in‑the‑loop control, and automated retry and recovery logic.
• Check Point warns such AI‑driven automation can compress disclosure‑to‑exploitation timelines and urges rapid patching plus AI‑aware defenses, as researchers also highlight prompt‑injection risks for security agents.