A highly skilled threat actor has exploited two critical vulnerabilities, Citrix Bleed 2 and Cisco ISE, to deploy custom malware. Amazon’s threat intelligence team detected the exploitation attempts before the vulnerabilities were publicly disclosed and patches became available.
A sophisticated threat actor took advantage of two zero-day flaws in NetScaler ADC and Gateway (Citrix Bleed 2) and Cisco Identity Service Engine (ISE), CVE-2025-20337, to deploy custom malware. Amazon’s MadPot honeypot service detected the exploitation attempts prior to public disclosure, indicating that the threat actor had been exploiting the vulnerability as a zero-day.
Citrix Bleed 2 is an out-of-bounds memory read problem in NetScaler ADC and Gateway, which was published by the vendor with fixes in late June. Despite this, it took time for the vendor to confirm that the flaw was being used in attacks. Exploits became available in early July, and the flaw was tagged as exploited by CISA.
The ISE vulnerability (CVE-2025-20337) has a maximum severity score and was published on July 17. Cisco warned that it could be exploited to gain unauthorized access to devices. However, just four days later, the vendor reissued its warning about active exploitation of CVE-2025-20337.
The hackers leveraged both flaws to deploy a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component. The web shell intercepted all requests and used Java reflection to inject into Tomcat server threads. It employed DES encryption with non-standard base64 encoding for stealth and left minimal forensic traces behind.
The use of multiple undisclosed zero-day flaws and advanced knowledge of Java/Tomcat internals point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group. The targeting appeared indiscriminate, which is unusual for such sophisticated operations.
Security experts recommend applying available security updates for CVE-2025-5777 and CVE-2025-20337 and limiting access to edge network devices through firewalls and layering.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploited-citrix-cisco-ise-flaws-in-zero-day-attacks