Amazon’s threat intelligence division has discovered an ongoing campaign that exploits two critical zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC systems. These flaws are being weaponized by a highly advanced threat actor to deploy custom-built malware aimed at infiltrating enterprise environments.
Critical Vulnerabilities Under Attack
The attack campaign takes advantage of two major vulnerabilities:
- CVE-2025-5777 (Citrix Bleed 2) – A high-severity flaw (CVSS 9.3) in Citrix NetScaler ADC and Gateway that allows attackers to bypass authentication. It was patched in June 2025.
- CVE-2025-20337 – A critical remote code execution (RCE) vulnerability (CVSS 10.0) in Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) that enables unauthenticated attackers to execute arbitrary code as root. Cisco fixed it in July 2025.
According to Amazon, both vulnerabilities were actively exploited in the wild before the official patches were released, confirming their zero-day status.
Discovery and Technical Insights
Amazon detected these exploits through its MadPot honeypot network, which observed unusual payloads targeting Cisco ISE appliances. Further investigation revealed that the attackers deployed a custom web shell disguised as a legitimate Cisco component named IdentityAuditAction.
“This wasn’t generic malware,” said CJ Moses, Chief Information Security Officer at Amazon Integrated Security. “It was a purpose-built backdoor tailored specifically for Cisco ISE systems.”
The malicious web shell operates stealthily:
- It executes entirely in memory, avoiding traditional file-based detection.
- Uses Java reflection to inject code into active Tomcat server threads.
- Registers as an HTTP listener to monitor all incoming requests.
- Employs DES encryption with non-standard Base64 encoding for obfuscation.
These features make it exceptionally difficult for traditional security solutions to detect.
Indicators of a Highly Resourced Adversary
Amazon characterized the actor as highly sophisticated and well-funded, capable of exploiting multiple zero-day vulnerabilities simultaneously. The attackers either possess advanced vulnerability research skills or have access to confidential exploit information.
Their use of custom tools also highlights a deep understanding of enterprise Java applications, Tomcat internals, and Cisco ISE architecture — indicating the work of a professional threat group rather than opportunistic hackers.
