Amazon Threat Intelligence has documented a large-scale campaign abusing two critical 0‑day vulnerabilities: CVE-2025-5777 (Citrix Bleed 2) affecting NetScaler ADC/Gateway and CVE-2025-20337 in Cisco Identity Services Engine (ISE). Data from the Amazon MadPot honeypot network indicates attackers probed and exploited both flaws well before public disclosure and vendor patches, widening the real-world exposure window.
Timeline and evidence of pre-disclosure exploitation
Activity tied to Citrix Bleed 2 (CVE-2025-5777) was observed prior to official details. The issue is an out‑of‑bounds memory read in NetScaler ADC and Gateway, a class of bug that can leak sensitive data or break process isolation. Citrix issued fixes in late June 2025. Within days, public exploit code emerged in early July, and the U.S. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog—signals of active, in-the-wild exploitation against perimeter appliances.
Concurrently, researchers captured a distinctive payload targeting Cisco ISE that abused an undocumented endpoint and unsafe deserialization logic to achieve remote code execution (RCE). Coordinated disclosure to Cisco led to CVE-2025-20337 in July 2025. The flaw enables an unauthenticated adversary to upload files, run arbitrary code, and ultimately obtain root access on vulnerable ISE nodes. Cisco warned of ongoing exploitation after releasing patches, and later in July, ZDI researcher Bobby Gould published a detailed technical analysis of the exploit chain, underscoring the reliability of the RCE path.
Attack chain: from initial access to persistence
According to Amazon’s observations, intrusions typically began by exploiting CVE-2025-20337 to gain administrative control of Cisco ISE without credentials. Post-compromise, operators deployed a bespoke web shell dubbed IdentityAuditAction, camouflaged as a legitimate ISE component. The implant registered itself as an HTTP listener, intercepted inbound requests, and used Java reflection to inject into Apache Tomcat server threads, achieving stealthy, long-lived persistence.
To evade detection and hinder forensic analysis, the operators combined DES encryption with nonstandard Base64 encoding and gated command-and-control traffic behind specific HTTP headers. This tradecraft keeps network flows looking legitimate and minimizes on-disk artifacts, complicating both signature-based detection and incident response.
Attribution signals and campaign profile
The coordinated use of multiple 0‑days, deep familiarity with Java/Tomcat internals, and intimate knowledge of Cisco ISE components suggest a highly skilled threat actor, potentially with APT-level capabilities. Yet the campaign appeared untargeted, with broad scanning and opportunistic compromise across sectors—behavior consistent with tooling validation or infrastructure staging ahead of more selective operations.
Why edge appliances raise systemic risk
Perimeter devices such as NetScaler ADC/Gateway and Cisco ISE often sit at the network edge with elevated privileges. A successful compromise provides an attacker with a durable foothold for lateral movement, credential access, and privilege escalation, particularly where these systems integrate with identity, VPN, or load-balancing functions.
Defensive priorities and mitigation steps
1) Patch comprehensively and verify coverage
Apply updates for CVE-2025-5777 and CVE-2025-20337 immediately across all affected instances, including HA pairs, clusters, DR sites, and lab/staging environments. Validate versions and hotfix levels.
2) Minimize exposure of management planes
Restrict access to NetScaler and Cisco ISE admin interfaces via ACLs, VPN, and jump hosts; enforce IP/ASN allowlists; and place WAF/traffic filtering in front of public endpoints.
3) Enhance monitoring and hunting
Hunt for anomalous HTTP headers, unusual User-Agent chains, long-lived “quiet” connections, unfamiliar classes or artifacts in ISE extension directories, nonstandard listeners, and signs of Tomcat thread injection. Correlate events from the period preceding public disclosure.
4) Update detection and harden inputs
Refresh IDS/IPS signatures and SIEM rules for exploitation attempts; enforce strict deserialization policies and input validation; and limit arbitrary file upload/execution paths.
5) Prepare for containment and recovery
Exercise incident response playbooks, ensure tested backups with isolated restore, and apply integrity monitoring and whitelisting for ISE/NetScaler binaries and extensions.
These incidents reaffirm that the “risk window” opens before advisories are published. Organizations should prioritize proactive patch management, attack-surface reduction, and continuous monitoring of edge systems. If patches are outstanding, apply them now, reassess exposure of management interfaces, and expand hunting to include pre-disclosure activity.
