Amazon Exposes Advanced APT Exploiting Cisco ISE (RCE) and Citrix Bleed Two as Simultaneous Zero-Days

The Amazon Threat Intelligence team has uncovered a highly sophisticated threat campaign exploiting multiple zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems, demonstrating a major escalation in attacker focus on identity and network access control infrastructure — the backbone of enterprise authentication and authorization.

The campaign included the use of custom, stealthy malware, exploitation of unpatched code paths, and broad targeting across the public internet.

The first sign of the threat surfaced when Amazon’s MadPot honeypot network detected exploitation attempts hitting internet-facing Citrix infrastructure.

“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure.”

The early detection revealed that the attacker already possessed working exploits for the Citrix Bleed 2 flaw before it had a CVE assigned — confirming zero-day exploitation in the wild.

During deeper analysis of the attacker’s traffic, Amazon discovered a second zero-day directed at Cisco ISE.

“Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”

Cisco later designated this vulnerability CVE-2025-20337, confirming that attackers were achieving pre-authentication remote code execution (RCE) on Cisco ISE systems.

Even more concerning:

“Exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches.”

After gaining access, the adversary deployed a highly sophisticated in-memory web shell, disguised as a legitimate Cisco ISE component named IdentityAuditAction. It was not commodity malware.

Amazon notes:

“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments.”

Key capabilities included:

• Running fully in-memory to avoid leaving artifacts
• Using Java reflection to hijack live Tomcat threads
• Registering as an HTTP listener to inspect all traffic
• Encrypting payloads using DES and non-standard Base64 encoding
• Requiring special HTTP headers to activate

A snippet of the attacker’s deserialization routine reveals the elaborate access controls embedded into the web shell. This level of craftsmanship is rarely seen outside state-aligned or highly resourced threat groups.

Amazon’s analysis concludes that this threat actor possessed — and weaponized — multiple zero-day vulnerabilities simultaneously.

“The access to multiple unpublished zero-day exploits indicates a highly resourced threat actor with advanced vulnerability research capabilities or potential access to non-public vulnerability information.”

The actor also launched indiscriminate mass scanning across the internet for vulnerable Citrix and Cisco systems.

Related Posts:

• Critical Cisco ISE Flaw CVE-2025-20337 (CVSS 10.0) Allows Unauthenticated Root RCE – Patch Immediately
• Citrix Bleed 2: ReliaQuest Warns of Active Exploitation in NetScaler Gateway Vulnerability
• Urgent: Cisco ISE Flaws (CVSS 10.0) Actively Exploited in the Wild – Patch Immediately!
• Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI
• LockBit 3.0 Ransomware Exploit Targets Citrix NetScaler Appliances