Amazon Uncovers Active Exploitation of Cisco and Citrix Zero-Days

, , ,
Amazon report on active zero-day exploits targeting Cisco and Citrix enterprise infrastructure.

Amazon detected an actor exploiting Cisco and Citrix zero-days. Read our analysis and response to protect your corporate networks.

The Vulnerabilities

CVE-2025-5777 (Citrix Bleed 2) – An authentication bypass vulnerability in Citrix NetScaler ADC and Gateway (CVSS 9.3). Notably, Amazon detected exploitation in May 2025, before Citrix released a fix in June.

CVE-2025-20337 (Cisco ISE) – An unauthenticated remote code execution vulnerability allowing attackers to execute arbitrary code as root (CVSS 10.0). Fixed by Cisco in July 2025.

Ultimately, threat actors exploited both vulnerabilities in the wild before patches became available.

Custom Web Shell Deployment

The attackers deployed a custom web shell disguised as a legitimate Cisco component named “IdentityAuditAction.” Furthermore, this backdoor specifically targets Cisco ISE environments and includes:

  • In-memory execution to avoid file-based detection
  • Java reflection injection into the Tomcat web server
  • DES encryption and non-standard Base64 encoding to hide commands
  • HTTP request monitoring capabilities

Why This Matters

Cisco ISE and Citrix NetScaler are critical access control systems that manage authentication across enterprise networks. Compromising them gives attackers administrative privileges and the ability to move laterally into sensitive infrastructure.

Amazon characterized the threat actor as “highly resourced,” with access to multiple zero-day exploits and deep knowledge of enterprise Java applications and system architecture.

CJ Moses, CISO of Amazon Integrated Security, noted: “The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected.”

Recommendations

Organizations should:

  • Patch Cisco ISE and Citrix NetScaler systems immediately
  • Restrict access to management portals through firewalls and network segmentation
  • Monitor for unusual HTTP traffic and administrative activity
  • Assume these systems may already be compromised and develop detection capabilities for anomalous behavior