Threat actors are exploiting two zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products to deliver custom malware. The vulnerabilities, CVE-2025-5777 and CVE-2025-20337, were discovered by Amazon’s threat intelligence team using its MadPot honeypot network.
The attacks use the vulnerabilities to bypass authentication and execute arbitrary code on the underlying operating system as root. Amazon detected exploitation attempts targeting CVE-2025-5777 as a zero-day and found a custom-built backdoor specifically designed for Cisco ISE environments.
The malware, disguised as a legitimate component named IdentityAuditAction, comes with evasion techniques such as Java reflection and DES encryption to fly under the radar. The threat actor is described as “highly resourced” due to its ability to leverage multiple zero-day exploits or possess advanced vulnerability research capabilities.
This discovery highlights the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities to identify unusual behavior patterns, even in well-configured systems.
Source: https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html