Amazon’s threat intelligence team has identified an advanced persistent threat group exploiting zero-day vulnerabilities in Cisco Identity Service Engine and Citrix NetScaler products. These attacks were observed prior to vendors publicly disclosing and patching the critical defects, which occurred last summer. The findings highlight sophisticated threat actor capabilities and a growing focus on identity and network edge infrastructure.
The MadPot honeypot service, operated by Amazon, detected the active exploitation of these vulnerabilities. Specifically, CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco were targeted. Subsequent investigation by Amazon determined that a well-resourced threat actor was behind these incidents. CJ Moses, Amazon’s chief information security officer, stated in a blog post on Wednesday that there is high confidence that the same threat actor was involved in exploiting both vulnerabilities.
Exploitation of Zero-Day Vulnerabilities
Amazon’s discovery provides insight into current threat trends, including the increased focus by threat groups on identity and network edge infrastructure. Additionally, it underscores the ability of these groups to weaponize vulnerabilities rapidly as zero-days, meaning they are exploited before vendors are even aware of the defect or have released a patch.
The origins and exact identity of the threat group remain unknown. However, CJ Moses suggested that the most probable objective was to gain prolonged access to target systems for espionage purposes. This suggests a motive beyond simple data theft, pointing towards more strategic intelligence gathering.
Advanced Capabilities of the Threat Actor
Amazon threat researchers observed the threat group employing custom malware. This malware included a backdoor specifically designed for Cisco ISE environments and demonstrated advanced evasion techniques. Moses elaborated in the blog post that the threat actor’s custom tools indicated a profound understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of Cisco ISE.
Cisco initially disclosed CVE-2025-20337 on June 25. However, Amazon’s findings indicate that exploitation of this vulnerability was already underway in May. Amazon researchers identified these pre-disclosure exploits in early July and traced the attacks back to activity in May and June.
Amazon subsequently disclosed the active exploitation of the defect to Cisco. In response, Cisco informed its customers of the issue within hours, according to Moses. Details regarding the total number of organizations impacted by exploits targeting CVE-2025-20337 were not shared.
Separately, Citrix disclosed CVE-2025-5777 on June 17. This vulnerability is notable for its significant similarities to a defect discovered in the same products in 2023, leading to its nickname, CitrixBleed 2. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this exploit to its catalog of known exploited vulnerabilities on July 10.
By mid-July, cybersecurity researchers had documented over 11.5 million attack attempts against thousands of websites since the disclosure of the Citrix vulnerability. This indicates a widespread and rapid adoption of the exploit by various threat actors.
Amazon has not provided specific reasons for disclosing this information about active zero-day exploitation months after its initial discovery. The company also stated that it does not possess further information regarding more recent attacks linked to these specific vulnerabilities.
Moses emphasized that the threat group’s utilization of multiple zero-day exploits suggests sophisticated vulnerability research capabilities or access to undisclosed vulnerability information. This points to a high level of sophistication and resources within the attacking group.
Moving forward, the focus will likely remain on how quickly and effectively organizations can patch their systems against known vulnerabilities and strengthen their defenses against zero-day threats. Any further information from Amazon or the affected vendors regarding the scope of these attacks or the identity of the threat actor will be closely watched by the cybersecurity community.