Hackers Used Citrix and Cisco ISE Zero-Day Vulnerabilities in Their Attacks

Amazon's threat intelligence team has uncovered attacks exploiting two critical zero-day vulnerabilities: CVE-2025-5777 (dubbed "Citrix Bleed 2") in NetScaler ADC/Gateway and CVE-2025-20337 in Cisco Identity Services Engine (ISE). The findings reveal that attackers were exploiting these flaws weeks before the vendors disclosed them or released patches.

Discovery Through Honeypot Intelligence

Amazon's MadPot honeypot service, which monitors vulnerability exploitation in real-time, detected the attacks. Researchers observed attempts to exploit Citrix Bleed 2 well before any public disclosure of the vulnerability.

During their investigation, the team identified an unusual payload targeting a previously undocumented endpoint in Cisco ISE through vulnerable deserialization logic. Amazon reported these findings directly to Cisco's security team.

The Vulnerabilities

CVE-2025-5777 (Citrix Bleed 2) involves an out-of-bounds memory read in NetScaler ADC and Gateway. Citrix released a patch in late June 2025. By early July, public exploits had surfaced, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog.

CVE-2025-20337 affects Cisco ISE and was publicly disclosed in July 2025. The flaw allows unauthenticated attackers to upload malicious files, execute arbitrary code, and gain root access on vulnerable devices. Shortly after releasing the patch, Cisco warned of active exploitation. In late July, Bobby Gould from Trend Micro's Zero Day Initiative published a detailed technical analysis documenting the full exploitation chain.

Amazon researchers now confirm that both vulnerabilities were used in advanced persistent threat (APT) campaigns before either vendor published their security advisories.

The Attack Chain

According to Amazon's analysis, attackers followed this sequence:

1. Initial Access: Exploited CVE-2025-20337 to gain administrative access to Cisco ISE endpoints without authentication
2. Web Shell Deployment: Installed a custom web shell called IdentityAuditAction, disguised as a legitimate ISE component
3. Persistence Mechanisms: The shell registered itself as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads
4. Evasion Techniques: Implemented DES encryption with non-standard base64 encoding for stealth. Access required knowledge of specific HTTP headers, leaving minimal forensic evidence.

Attribution and Targeting

The sophistication of these attacks—using multiple zero-days combined with deep knowledge of Java/Tomcat and Cisco ISE architecture—suggests the work of an advanced, likely state-sponsored threat group. However, researchers could not definitively link the activity to any known APT organization.

Interestingly, the attacks were not targeted. The threat actors appeared to scan and exploit vulnerable systems indiscriminately. This pattern is unusual for highly skilled groups, which typically focus on specific, high-value targets. Amazon researchers believe the attackers may have been testing their capabilities or conducting reconnaissance ahead of a larger campaign.

Recommendations

Amazon strongly recommends the following immediate actions:

• Install patches for CVE-2025-5777 and CVE-2025-20337 if you haven't already
• Restrict access to perimeter network devices using firewalls
• Implement multi-layered protection for internet-facing infrastructure
• Monitor for indicators of compromise related to these vulnerabilities