Amazon’s threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware.
“This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks,” CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News.
The attacks were flagged by its MadPot honeypot network, with the activity weaponizing the following two vulnerabilities –
- CVE-2025-5777 or Citrix Bleed 2 (CVSS score: 9.3) – An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025)
- CVE-2025-20337 (CVSS score: 10.0) – An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root. (Fixed by Cisco in July 2025)
While both shortcomings have come under active exploitation in the wild, the report from Amazon sheds light on the exact nature of the attacks leveraging them.
The tech giant said it detected exploitation attempts targeting CVE-2025-5777 as a zero-day in May 2025, and that further investigation of the threat led to the discovery of an anomalous payload aimed at Cisco ISE appliances by weaponizing CVE-2025-20337. The activity is said to have culminated in the deployment of a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction.
“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments,” Moses said.
The web shell comes fitted with capabilities to fly under the radar, operating entirely in memory and using Java reflection to inject itself into running threads. It also registers as a listener to monitor all HTTP requests across the Tomcat server and implements DES encryption with non-standard Base64 encoding to evade detection.
Amazon described the campaign as indiscriminate, characterizing the threat actor as “highly resourced” owing to its ability to leverage multiple zero-day exploits, either by possessing advanced vulnerability research capabilities or having potential access to non-public vulnerability information. On top of that, the use of bespoke tools reflects the adversary’s knowledge of enterprise Java applications, Tomcat internals, and the inner workings of Cisco ISE.
The findings once again illustrate how threat actors are continuing to target network edge appliances to breach networks of interest, making it crucial that organizations limit access, through firewalls or layered access, to privileged management portals.
“The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected,” Moses said. “This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns.”
