A threat actor was seen exploiting two critical Citrix and Cisco vulnerabilities as zero-days weeks before patches were released, Amazon reports.
The Citrix flaw, tracked as CVE-2025-5777 (CVSS score of 9.3), is an insufficient input validation issue leading to an out-of-bounds memory read in NetScaler ADC and NetScaler Gateway.
It was patched on June 17 and was soon after dubbed CitrixBleed 2 by security researcher Kevin Beaumont, who compared it to the CitrixBleed bug (CVE-2023-4966) that allowed attackers to bypass multi-factor authentication.
Roughly one week later, the first exploitation attempts targeting CitrixBleed 2 were seen, and technical details and exploits emerged several days later. In mid-July, CISA warned that the flaw poses an unacceptable risk to federal agencies.
Now, Amazon says its honeypot service detected exploitation attempts prior to the defect’s public disclosure. An APT “had been exploiting the vulnerability as a zero-day,” the company says.
Amazon’s investigation into the attacks also uncovered zero-day exploitation of CVE-2025-20337 (CVSS score of 10/10), a Cisco Identity Service Engine (ISE) vulnerability disclosed on July 16.
Affecting a specific API of ISE and ISE Passive Identity Connector (ISE-PIC), the flaw allows unauthenticated attackers to execute arbitrary code on the underlying operating system with root privileges.
Shortly after disclosing the vulnerability, Cisco warned that it had evidence that threat actors were exploiting it in the wild, along with another critical bug in the same API, namely CVE-2025-20281.
According to Amazon’s new report, in-the-wild exploitation of the Cisco ISE flaw started before comprehensive patches were released.
The APT was seen deploying a custom web shell posing as a legitimate ISE component, which operated in-memory and relied on Java reflection to inject itself into running threads.
The malware, a backdoor specifically targeting ISE environments, would monitor all HTTP requests across the Tomcat server, could evade detection using DES encryption with non-standard Base64 encoding, and could be accessed only via specific HTTP headers.
“The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of the Cisco Identity Service Engine,” Amazon says.
The company believes the attacks were orchestrated by a highly resourced threat actor that had access to the unpublished zero-days either through advanced vulnerability research capabilities or through access to non-public vulnerability information.
Asked by SecurityWeek whether it has been able to link the attacks to a specific threat actor, Amazon said it could not share any information on attribution.
Related: CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable
Related: Cisco Patches Critical Vulnerabilities in Contact Center Appliance
Related: Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign
