Amazon's threat intelligence team reported on Wednesday that they observed an advanced threat actor actively exploiting two zero-day security flaws. These vulnerabilities were found in network access control systems, specifically Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC, and were used to deliver custom malware.
CJ Moses, CISO of Amazon Integrated Security, emphasized that this discovery highlights a significant trend: threat actors are now focusing on critical identity and network infrastructure, the exact systems enterprises rely on to manage authentication and enforce security policies.
Exploited Zero Day Flaws
The attacks were detected by Amazon's MadPot honeypot network, which flagged activity weaponizing the following critical vulnerabilities:
- CVE-2025-5777 (Citrix Bleed 2): A high severity (CVSS 9.3) flaw in Citrix NetScaler ADC and Gateway that allows attackers to bypass authentication. (Fixed by Citrix in June 2025).
- CVE-2025-20337 (Cisco ISE RCE): A maximum severity (CVSS 10.0) unauthenticated Remote Code Execution (RCE) vulnerability in Cisco ISE that allows a remote attacker to execute arbitrary code with root privileges. (Fixed by Cisco in July 2025).
Amazon detected exploitation attempts against the Citrix flaw as a zero day. Further investigation led to the discovery of a payload targeting Cisco ISE appliances using the RCE flaw. This activity culminated in the deployment of a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction.
Custom Malware and Threat Actor Profile
The web shell was custom built specifically for Cisco ISE environments. It was designed to evade detection by operating entirely in memory, using Java reflection to inject itself into running threads, and implementing DES encryption with non standard Base64 encoding.
Amazon described the actor as "highly resourced" due to their ability to leverage multiple zero-day exploits. This suggests they possess advanced vulnerability research capabilities or access to non public information. Furthermore, the use of bespoke tools reflects the adversary's deep knowledge of enterprise Java applications, Tomcat internals, and the inner workings of Cisco ISE.
These findings underscore the critical need for organizations to adopt comprehensive defense in depth strategies. The pre-authentication nature of these exploits means that even well configured systems can be compromised, making it crucial to implement robust detection capabilities to spot unusual network and behavior patterns.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
