Executive Summary

Amazon’s threat intelligence division has recently identified a highly sophisticated campaign leveraging zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC/Gateway. These vulnerabilities, tracked as CVE-2025-20337 for Cisco ISE and CVE-2025-5777 for Citrix NetScaler (dubbed “Citrix Bleed 2”), were actively exploited in the wild prior to public disclosure and patch release. The attackers demonstrated advanced technical acumen, deploying custom in-memory malware to compromise critical identity and network access control infrastructure. The campaign’s indiscriminate targeting of internet-exposed systems underscores the urgent need for immediate mitigation and robust monitoring across all organizations utilizing these platforms.

Threat Actor Profile

The threat actors behind these attacks exhibit hallmarks of a highly resourced, possibly state-sponsored group. Their operational sophistication is evidenced by simultaneous exploitation of two distinct zero-day vulnerabilities in widely deployed enterprise products—Cisco ISE and Citrix NetScaler ADC/Gateway. The attackers possess deep knowledge of enterprise Java, Apache Tomcat internals, and the architectural nuances of Cisco ISE. Their ability to develop and deploy a custom, in-memory web shell that evades conventional detection mechanisms, as well as their use of non-standard cryptographic and encoding techniques, further suggests access to advanced research capabilities and potentially non-public vulnerability information. No public attribution to a specific Advanced Persistent Threat (APT) group has been made as of this report, but the campaign’s scale and technical depth are consistent with nation-state or APT-level operations.

Technical Analysis of Malware/TTPs

The attack chain begins with remote, unauthenticated exploitation of either CVE-2025-5777 in Citrix NetScaler ADC/Gateway or CVE-2025-20337 in Cisco ISE. The Citrix Bleed 2 vulnerability arises from insufficient input validation, leading to memory overreads when the device is configured as a Gateway or AAA virtual server. This flaw enables attackers to bypass authentication and potentially exfiltrate sensitive memory contents. The Cisco ISE vulnerability is rooted in unsafe deserialization logic, allowing unauthenticated remote code execution as root on the underlying operating system.

Upon successful exploitation, the attackers deploy a custom web shell masquerading as a legitimate Cisco ISE component, named IdentityAuditAction. This web shell is not an off-the-shelf tool but a bespoke, in-memory implant that leverages Java reflection to inject itself into running threads within the Apache Tomcat application server. It registers as a listener, enabling it to intercept and process all HTTP requests to the compromised system.

The web shell employs DES/ECB/PKCS5Padding encryption with a hardcoded key (d384922c) and utilizes a non-standard Base64 encoding scheme. Access to the web shell is gated by the requirement for specific HTTP headers, significantly complicating detection by traditional web application firewalls and intrusion detection systems. The implant is designed to operate entirely in-memory, leaving minimal forensic artifacts on disk and evading most endpoint detection and response (EDR) solutions.

Network indicators include anomalous HTTP requests to Cisco ISE endpoints and outbound connections from compromised ISE or NetScaler devices to attacker-controlled infrastructure. The attackers’ post-exploitation activities include establishing full administrative access, deploying additional payloads, and conducting lateral movement within the victim environment.

Exploitation in the Wild

Amazon’s MadPot honeypot network was instrumental in detecting the initial exploitation attempts against Citrix NetScaler ADC/Gateway in May 2025. These attacks were observed as zero-day exploits, with no prior public disclosure or available patches. Subsequent analysis revealed that the same threat actors were also targeting Cisco ISE using a previously unknown remote code execution vulnerability.

The exploitation campaign was broad in scope, targeting any internet-exposed instance of the vulnerable products regardless of sector or geography. The attackers’ use of custom payloads and advanced evasion techniques allowed them to remain undetected for an extended period, with some compromises persisting until after the release of vendor patches.

The attack chain typically unfolded as follows: initial access was gained via exploitation of the zero-day vulnerabilities, followed by deployment of the in-memory web shell. The attackers then established persistence, monitored incoming HTTP traffic, and exfiltrated sensitive data or credentials. In several observed cases, the attackers leveraged their foothold to move laterally within the victim’s network, targeting additional high-value assets.

Victimology and Targeting

The campaign was characterized by its indiscriminate targeting of organizations operating internet-exposed Cisco ISE and Citrix NetScaler ADC/Gateway devices. While no specific sectors or countries were singled out in public reporting, the nature of the targeted infrastructure—identity and network access control—suggests a focus on enterprises and government entities with significant operational dependencies on these platforms. The attackers’ methodology did not discriminate based on organization size or industry vertical, increasing the risk profile for any entity utilizing the affected products.

The use of zero-day exploits and custom malware indicates a strategic objective to compromise critical infrastructure components that serve as gatekeepers for authentication and network segmentation. Successful exploitation could enable attackers to bypass multi-factor authentication, harvest credentials, and pivot to other sensitive systems within the victim environment.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by these vulnerabilities. Organizations utilizing Citrix NetScaler ADC/Gateway should apply the patches detailed in Citrix Security Bulletin CTX693420 without delay. Similarly, all deployments of Cisco ISE and ISE Passive Identity Connector (ISE-PIC) must be updated to the latest versions as per the Cisco Security Advisory for CVE-2025-20337.

In addition to patching, organizations should conduct comprehensive audits for unauthorized files or components named IdentityAuditAction and scrutinize Apache Tomcat logs for evidence of unusual listeners or in-memory thread injections. Network monitoring should be enhanced to detect anomalous HTTP requests to Cisco ISE endpoints and outbound connections from ISE or NetScaler devices to unknown external hosts.

Access to management portals for both Cisco ISE and Citrix NetScaler should be restricted to trusted networks only, and multi-factor authentication should be enforced wherever possible. Security teams are advised to review the CISA Known Exploited Vulnerabilities Catalog for ongoing updates and to implement detection rules based on the technical indicators described in this report, including the use of DES-encrypted payloads and non-standard Base64 encoding.

Given the advanced nature of the malware and its in-memory operation, traditional endpoint security solutions may be insufficient. Organizations should consider deploying memory forensics and behavioral analytics tools capable of detecting reflective code injection and unauthorized thread creation within Java application servers.

References

Amazon Security Blog: Amazon discovers APT exploiting Cisco and Citrix zero-days https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/

The Hacker News: Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html

NVD CVE-2025-5777 https://nvd.nist.gov/vuln/detail/CVE-2025-5777

Horizon3.ai CitrixBleed 2 Write-up https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/

Cisco Security Advisory for CVE-2025-20337 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-2025-20337

CISA KEV Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-5777

About Rescana

Rescana empowers organizations to proactively manage third-party risk and supply chain security through our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you identify, prioritize, and mitigate cyber threats across your extended enterprise ecosystem. We are committed to delivering timely, actionable insights to safeguard your organization’s most critical assets.

For further information or to discuss any aspect of this advisory, please contact us at ops@rescana.com.