Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Briefly

"Amazon's threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware. "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure - the systems enterprises rely on to enforce security policies and manage authentication across their networks," CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News."

"CVE-2025-5777 or Citrix Bleed 2 (CVSS score: 9.3) - An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025) CVE-2025-20337 (CVSS score: 10.0) - An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root. (Fixed by Cisco in July 2025)"

"The tech giant said it detected exploitation attempts targeting CVE-2025-5777 as a zero-day, and that further investigation of the threat led to the discovery of an anomalous payload aimed at Cisco ISE appliances by weaponizing CVE-2025-20337. The activity is said to have culminated in the deployment of a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. "This wasn't typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments," Moses said."