"The cloud giant's MadPot honeypot detected the unnamed miscreant(s) attempting to break into buggy Citrix NetScaler ADC and NetScaler Gateway devices via CVE-2025-5777 before the critical vulnerability was publicly disclosed, Moses said in a Wednesday security blog. CVE-2025-5777 is an out-of-bounds read flaw in NetScaler Gateway and AAA virtual servers that can allow remote attackers to leak memory contents. Security researchers dubbed it CitrixBleed 2 due to similarities with the original CitrixBleed that allowed both nation-state spies and ransomware gangs to steal session secrets."
""Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic," Moses wrote. This previously undocumented Cisco bug, now tracked as CVE-2025-20337, received a maximum-severity 10 CVSS rating as it allowed unauthenticated, remote attackers to run arbitrary code on the operating system with root-level privileges."
MadPot honeypot telemetry detected exploitation attempts targeting Citrix NetScaler ADC and NetScaler Gateway via CVE-2025-5777 prior to public disclosure. CVE-2025-5777 is an out-of-bounds read in NetScaler Gateway and AAA virtual servers that can leak memory contents and was labeled CitrixBleed 2 due to similarities with an earlier session-secret–stealing flaw. Citrix released a fix on June 17, but exploitation and session hijacking were reported by July. Amazon Threat Intelligence identified an anomalous payload hitting an undocumented Cisco ISE endpoint; the related CVE-2025-20337 allows unauthenticated remote code execution as root and was exploited before widespread patches were available.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]