An unidentified  threat actor has been exploiting not one, but two major vulnerabilities as zero-days—one in Citrix and a previously unknown flaw in Cisco's Identity Services Engine (ISE)—according to an investigation by Amazon Threat Intelligence.

The chain of discovery began with Amazon's security honeypot service, MadPot, which detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) before its public disclosure. This initial finding was a strong indicator that a threat actor was already leveraging the vulnerability as a zero-day in the wild.

After more digging into the activity of the threat actor, Amazon Threat Intelligence found an unknown payload targeting Cisco ISE. The payload exploited a newly discovered vulnerability in a previously undocumented endpoint, leveraging vulnerable deserialization logic. This flaw, (CVE-2025-20337), allowed the attackers to achieve pre-authentication remote code execution (RCE) on Cisco ISE deployments, leading to administrator-level access to compromised network systems.

What makes the Cisco ISE discovery particularly concerning is that the exploitation was occurring before Cisco had assigned a CVE number or released patches across all of the affected branches. This technique is typical of APT groups and other high-level threat actors who have the resources to monitor public and private threat intelligence and do their own exploit development. 

Following the successful exploitation of the Cisco ISE flaw, the threat actor deployed a custom-built web shell disguised as a legitimate Cisco ISE component, called IdentityAuditAction. This was not an off-the-shelf tool; it was a bespoke backdoor tailored for Cisco ISE environments:

  • In-Memory Operation: The web shell operated completely in-memory, leaving minimal forensic artifacts for investigators to track.
  • Thread Injection: It used Java reflection to inject itself into running threads on the Tomcat server.
  • Request Monitoring: It registered as a listener to monitor and filter all HTTP requests across the server.
  • Evasion Protocol: It implemented DES encryption with a non-standard Base64 encoding and required knowledge of specific, secret HTTP headers to be accessed.

The indiscriminate, internet-wide targeting with multiple zero-day exploits illustrates the evolving and increasingly dangerous tactics used against critical enterprise infrastructure at the network edge. The threat actor that Amazon’s team identified in these attacks has shown considerable knowledge of the target apps and environments, as well as the ability to perform original vulnerability research. 

Both Cisco and Citrix released patches for the targeted vulnerabilities in June. 

  • Recent Posts

  • Recent Comments

    No comments to show.