Amazon’s threat intelligence team revealed Wednesday that it observed sophisticated threat actors exploiting two then-current zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of an attack aimed at delivering custom malware.
“This discovery highlights a trend in threat actors’ focus on critical identity and network access control infrastructure, the systems that enterprises rely on to enforce security policies and manage authentication across networks,” CJ Moses, CISO at Amazon Integrated Security, said in a report shared with The Hacker News.
This attack was alerted to by the MadPot honeypot network and leveraged two vulnerabilities:
CVE-2025-5777 or Citrix Bleed 2 (CVSS Score: 9.3) – Insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025) CVE-2025-20337 (CVSS Score: 10.0) – An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow a remote attacker to execute arbitrary code as root on the underlying operating system. (Fixed by Cisco in July 2025)
Both flaws have been exploited in the wild, but Amazon’s report reveals the exact nature of the attacks that leverage them.
The tech giant said it detected an exploitation attempt targeting CVE-2025-5777 as a zero-day and further investigation into the threat discovered an anomalous payload that weaponized CVE-2025-20337 and targeted Cisco ISE appliances. This activity allegedly culminated in the introduction of a custom web shell masquerading as a legitimate Cisco ISE component named IdentityAuditAction.
“This was not typical off-the-shelf malware, but a custom-built backdoor designed specifically for the Cisco ISE environment,” Moses said.
The web shell has the ability to operate under the radar, operating entirely in memory and using Java reflection to inject itself into a running thread. It also registers as a listener to monitor all HTTP requests across the Tomcat server and implements DES encryption with non-standard Base64 encoding to avoid detection.
Amazon describes the campaign as being indiscriminate and characterizes the attackers as “sophisticated and resourceful” due to their ability to leverage multiple zero-day exploits, as they have advanced vulnerability research capabilities or may have access to non-public vulnerability information. Additionally, the use of custom tools reflects the attacker’s knowledge of enterprise Java applications, the internal structure of Tomcat, and the inner workings of Cisco ISE.
Our findings reiterate that attackers continue to target network edge appliances to infiltrate targeted networks, making it important for organizations to restrict access to privileged management portals through firewalls and tiered access.
“The pre-authenticated nature of these exploits makes it clear that even well-configured and meticulously maintained systems can be affected,” said Moses. “This highlights the importance of implementing a comprehensive defense-in-depth strategy and developing robust detection capabilities that can identify anomalous behavior patterns.”
Source link
