Amazon Discovers Advanced Threat Actor Exploiting Cisco ISE and Citrix NetScaler Zero-Days
Amazon’s threat intelligence team has uncovered evidence of a sophisticated threat actor actively exploiting two zero-day vulnerabilities in critical network infrastructure. The attacks targeted Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products, aiming to deploy custom malware and gain unauthorized access. This discovery highlights the growing trend of adversaries focusing on identity and network access control systems, which are foundational to enterprise security.
The advanced threat actor, identified by Amazon’s MadPot honeypot network, was observed weaponizing two previously unknown security flaws. These exploits allowed for the circumvention of security measures and the execution of malicious code, ultimately leading to the deployment of custom-designed backdoors. The nature of these attacks suggests significant resources and advanced capabilities on the part of the perpetrator.
Exploitation of High-Impact Vulnerabilities
The exploitation campaign involved two critical vulnerabilities: CVE-2025-5777 and CVE-2025-20337. CVE-2025-5777, dubbed “Citrix Bleed 2,” is an insufficient input validation flaw in Citrix NetScaler ADC and Gateway. This vulnerability, with a CVSS severity score of 9.3, allowed attackers to bypass authentication mechanisms. Citrix addressed this issue in June 2025.
Meanwhile, CVE-2025-20337 poses an even greater threat, rated with a CVSS score of 10.0. This unauthenticated remote code execution vulnerability affects Cisco Identity Services Engine (ISE) and its Passive Identity Connector (ISE-PIC). According to Amazon’s report, remote adversaries could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system. Cisco issued a fix for this vulnerability in July 2025.
Custom Malware and Stealthy Tactics
Amazon’s investigation revealed that the threat actor employed novel techniques to remain undetected. Exploitation attempts against CVE-2025-5777 were observed as a zero-day attack. Further analysis uncovered an anomalous payload targeting Cisco ISE appliances, specifically weaponizing CVE-2025-20337. This activity culminated in the deployment of a custom web shell, disguised as a legitimate Cisco ISE component named IdentityAuditAction.
“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments,” stated CJ Moses, CISO of Amazon Integrated Security, in a report. The malware demonstrated advanced evasion capabilities, including operating entirely in memory and leveraging Java reflection to inject itself into running threads. It also acted as a listener for all HTTP requests on the Tomcat server, employing DES encryption and non-standard Base64 encoding to avoid detection.
Implications for Network Security
The reported campaign underscores the persistent threat to network edge appliances, which adversaries increasingly target to gain initial access into networks. Amazon characterized the threat actor as “highly resourced,” citing their ability to leverage multiple zero-day exploits. This suggests either significant in-house vulnerability research capabilities or access to lucrative non-public vulnerability information. The use of bespoke tools also points to a sophisticated understanding of enterprise Java applications, Tomcat internals, and the specific architecture of Cisco ISE.
The pre-authentication nature of these exploits means that even well-configured and meticulously maintained systems are susceptible. This emphasizes the critical need for organizations to implement robust defense-in-depth strategies. Additionally, developing comprehensive detection capabilities to identify unusual behavior patterns is crucial for mitigating the impact of such advanced threats. Limiting access to privileged management portals through firewalls or layered access controls remains a fundamental security practice.
Future Outlook and Defense Strategies
The discovery of these targeted zero-day attacks serves as a stark reminder of the evolving threat landscape. Organizations should prioritize patching vulnerable Cisco ISE and Citrix NetScaler systems immediately, even though fixes have been released. Continuous monitoring and advanced threat detection solutions are essential for identifying and responding to in-memory malware and other stealthy attack vectors.
Moving forward, the focus will likely remain on the sophisticated capabilities of threat actors to exploit foundational network infrastructure. Companies will need to invest in intelligence gathering and proactive threat hunting to stay ahead of such adversaries. The continued emphasis on identity and access management security, coupled with vigilant monitoring of network edge devices, will be paramount in defending against future breaches of this nature. Organizations are advised to review their security postures and ensure that their incident response plans are equipped to handle complex, multi-stage attacks targeting critical network components.