Amazon Identifies APT Exploiting Zero-Day Flaws in Cisco ISE and Citrix NetScaler
Amazon's threat intelligence team uncovered an advanced persistent threat (APT) actor actively exploiting two previously unknown zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC. The vulnerabilities, tracked as CVE-2025-5777 (Citrix Bleed 2) and CVE-2025-20337, allowed attackers to bypass authentication on Citrix NetScaler and achieve unauthenticated remote code execution on Cisco ISE, respectively. Amazon's MadPot honeypot network detected exploitation attempts before public disclosure, and further investigation revealed the deployment of a custom web shell disguised as a legitimate Cisco ISE component, enabling persistent access for the attackers. Both vulnerabilities were exploited in the wild before patches were available, highlighting the attackers' sophistication and their focus on critical identity and network access infrastructure.
The campaign demonstrated the threat actors' ability to quickly weaponize vulnerabilities and exploit patch gaps, with Amazon sharing technical details and indicators of compromise with Cisco to aid in remediation. The custom malware used in these attacks was specifically tailored for Cisco ISE environments, and the exploitation activity underscores the increasing targeting of systems that enforce enterprise security policies and manage authentication. Both Cisco and Citrix have since released patches to address the vulnerabilities, but the incident serves as a warning about the risks posed by zero-day exploitation of core network and identity management platforms.
Timeline
Nov 12, 2025
Amazon publicly discloses APT zero-day campaign details
On November 12, 2025, Amazon published research describing the advanced campaign exploiting Cisco ISE and Citrix NetScaler zero-days, including technical details on the custom malware and the actor's tradecraft. The disclosure framed the activity as evidence of growing adversary focus on identity and access infrastructure.
Jun 17, 2025
Citrix releases patches for CitrixBleed 2
Citrix released patches for CVE-2025-5777 on June 17, 2025, after Amazon had already observed exploitation in the wild. The flaw, later dubbed 'CitrixBleed 2,' was severe enough that U.S. federal agencies were reportedly given a one-day deadline to patch.
May 1, 2025
Amazon shares findings on Cisco ISE exploitation with Cisco
After identifying the campaign, Amazon shared its findings with Cisco, including details of the previously undisclosed Cisco ISE exploitation. At that stage, Cisco had not yet assigned a CVE and comprehensive patches were not yet available across affected branches.
May 1, 2025
Attackers deploy custom in-memory malware on Cisco ISE
During the campaign, the threat actor used a bespoke in-memory web shell and backdoor on Cisco ISE, disguised as a legitimate component and designed with advanced evasion features such as minimal forensic traces, custom encryption, and header-based access controls. The malware reflected deep knowledge of Java, Tomcat, and Cisco ISE internals.
May 1, 2025
Amazon MadPot honeypots detect the zero-day exploitation activity
Amazon's MadPot honeypot infrastructure detected the initial exploitation attempts tied to the campaign, helping uncover the actor's use of the Citrix and Cisco zero-days in the wild. This detection led Amazon Threat Intelligence to investigate the activity further.
May 1, 2025
APT campaign begins exploiting Citrix and Cisco flaws as zero-days
In May 2025, Amazon observed an advanced threat actor exploiting CVE-2025-5777 in Citrix NetScaler and CVE-2025-20337 in Cisco ISE before public disclosure and before patches were broadly available. The activity targeted critical identity and network access infrastructure using a patch-gap exploitation approach.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like register security, aws security blog, cyberscoop and bleeping computer
Related Stories
Active Exploitation of Cisco ISE Zero-Day Vulnerability for Remote Code Execution
Hackers exploited a zero-day vulnerability in Cisco's Identity Services Engine (ISE), tracked as CVE-2025-20337, which allowed for pre-authentication remote code execution and administrator-level access to affected systems. Amazon Web Services researchers detected the campaign using their MadPot honeypot, observing that attackers deployed custom web shells disguised as legitimate Cisco ISE components, specifically `IdentityAuditAction`, and used Java APIs to inject themselves into running threads and monitor HTTP requests on Tomcat servers. The vulnerability, rated with a maximum CVSS score of 10, was actively exploited in the wild before Cisco had assigned a CVE or released comprehensive patches for all affected ISE branches. Cisco released a patch for the flaw in July after confirming in-the-wild exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2025-20337 to its Known Exploited Vulnerabilities catalog. AWS CISO CJ Moses highlighted that the attackers' use of "patch-gap exploitation"—targeting systems before official disclosure and patch availability—demonstrates the sophistication of threat actors who rapidly weaponize newly discovered vulnerabilities. Organizations using Cisco ISE are urged to ensure patches are applied and to monitor for signs of compromise, particularly the presence of suspicious web shells or unauthorized HTTP listeners.
1 months ago
Exploitation of Zero-Day Vulnerabilities in Remote Access Technologies
Threat actors have increasingly targeted remote access technologies in 2025 by exploiting a series of critical vulnerabilities, many of which were zero-days at the time of discovery. Security researchers have identified several high-impact vulnerabilities affecting widely deployed enterprise products, including Citrix NetScaler, Cisco IOS and IOS XE, Cisco ASA and FTD, Fortra GoAnywhere MFT, and Oracle E-Business Suite. These vulnerabilities have enabled remote code execution, authentication bypass, and other forms of unauthorized access, posing significant risks to organizations relying on these technologies for perimeter defense. Notably, some of these flaws, such as CVE-2025-7775 in Citrix NetScaler and CVE-2025-20352 in Cisco IOS/IOS XE, were exploited before public disclosure, highlighting the persistent threat of zero-day attacks. The threat actor group UAT4356, also known as ArcaneDoor, has been linked to the exploitation of certain Cisco vulnerabilities, demonstrating the involvement of sophisticated adversaries. In addition to newly discovered zero-days, attackers continue to leverage older, unpatched vulnerabilities, underscoring the ongoing challenge of maintaining effective patch management. Initial access brokers and both opportunistic and targeted threat actors have been observed using these exploits to gain footholds in enterprise environments, often as a precursor to further malicious activity such as extortion or data theft. Security bulletins from vendors like Ivanti and Fortinet have been referenced to provide guidance and mitigation steps for affected organizations. The prevalence of public proof-of-concept exploits for some vulnerabilities has accelerated their weaponization in the wild. The impact of these attacks is amplified by the critical role remote access technologies play in modern enterprise infrastructure, making timely detection and remediation essential. Security teams are urged to prioritize patching, monitor for signs of exploitation, and implement robust access controls to mitigate risk. The ongoing exploitation of both new and old vulnerabilities highlights the need for continuous vigilance and proactive security measures. Researchers emphasize the importance of machine-readable, well-vetted vulnerability intelligence to support rapid response. The trend of targeting remote access solutions is expected to persist, given their attractiveness as initial access vectors. Organizations are advised to review vendor advisories and apply recommended patches without delay. The evolving threat landscape requires a coordinated effort between vendors, security researchers, and enterprise defenders to reduce exposure and limit the impact of these attacks.
1 months ago
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
1 months ago