Amazon Discovers Zero-Day Attacks: Critical Vulnerabilities in Cisco and Citrix Systems Exploited

| Editorial Team
1

Amazon Uncovers Critical Zero-Day Attacks on Cisco and Citrix Systems

Amazon's security team has discovered a sophisticated threat actor exploiting zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler products to deploy custom malware. The attacks, detected in May 2025, targeted critical identity and network access control infrastructure that enterprises rely on for security enforcement and authentication.

The discovery highlights a concerning trend of advanced attackers specifically focusing on these vital systems. According to CJ Moses, CISO of Amazon Integrated Security, these exploits demonstrate how even well-maintained systems can be compromised through pre-authentication vulnerabilities.

The Vulnerabilities and Attack Methods

Amazon's MadPot honeypot network flagged two critical vulnerabilities being exploited:

  • CVE-2025-5777 (Citrix Bleed 2) – Rated 9.3 on the CVSS scale, this vulnerability in Citrix NetScaler ADC and Gateway allows attackers to bypass authentication due to insufficient input validation. Citrix patched this vulnerability in June 2025.

  • CVE-2025-20337 – With a perfect CVSS score of 10.0, this flaw in Cisco ISE and ISE-PIC enables unauthenticated remote code execution with root privileges. Cisco issued a fix in July 2025.

The attacks were particularly sophisticated, beginning with exploitation of the Citrix flaw as a zero-day in May 2025. Further investigation revealed that attackers were also targeting Cisco ISE appliances using the second vulnerability to deploy a custom web shell.

"This wasn't typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments," Moses explained in the report shared with The Hacker News.

These types of attacks represent some of the most dangerous advanced persistent threat attack vectors targeting enterprise networks today, requiring organizations to implement comprehensive security controls.

Technical Analysis of the Attack Chain

Security researchers have identified that the initial compromise typically begins with reconnaissance of exposed management interfaces, followed by exploitation of the zero-day vulnerability, and ultimately privilege escalation to gain full system control. This methodical approach demonstrates the attackers' disciplined operational security practices.

Sophisticated Malware Techniques

The malware discovered by Amazon's team showed remarkable sophistication:

  • Disguised as a legitimate Cisco ISE component called "IdentityAuditAction"
  • Operated entirely in memory to avoid detection
  • Used Java reflection to inject itself into running threads
  • Registered as a listener to monitor all HTTP requests across the Tomcat server
  • Implemented DES encryption with non-standard Base64 encoding to evade security tools

These characteristics indicate a highly skilled adversary with deep knowledge of enterprise Java applications, Tomcat internals, and Cisco ISE architecture.

Security experts note that the malware's memory-resident nature made it particularly difficult to detect using traditional security solutions that rely on file-based scanning techniques.

Threat Actor Capabilities

Amazon characterized the threat actor as "highly resourced" based on multiple factors:

  1. The ability to leverage multiple zero-day exploits
  2. Possible advanced vulnerability research capabilities
  3. Potential access to non-public vulnerability information
  4. Development of sophisticated, bespoke malware tools
  5. In-depth technical knowledge of targeted systems

The campaign appeared indiscriminate, suggesting the attackers may have been casting a wide net or conducting reconnaissance before more targeted operations.

Attribution and Motivation Analysis

While Amazon's report does not definitively attribute the attacks to a specific threat group, the technical sophistication and targeting of critical infrastructure components align with patterns observed in state-sponsored cyber espionage campaigns. The attackers' techniques mirror those documented by MITRE ATT&CK for advanced persistent threats.

Organizations should understand that cybersecurity importance extends beyond compliance requirements to protecting critical business operations and sensitive customer data from these sophisticated threats.

Implications for Organizations

This incident reinforces how threat actors continue targeting network edge appliances as entry points into corporate networks. Organizations using these products should:

  • Limit access to privileged management portals using firewalls or layered access controls
  • Implement comprehensive defense-in-depth strategies
  • Develop robust detection capabilities for unusual behavior patterns
  • Apply security patches promptly when available
  • Monitor systems for signs of compromise

"The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected," Moses noted in the report.

Organizations must develop effective strategies to prevent zero-day attack exploitation through robust security architecture that assumes breach and implements defense-in-depth principles.

Business Impact Considerations

Beyond the immediate technical implications, organizations should consider:

  • Regulatory consequences – Data protection regulations may require breach notification if systems containing personal information were compromised
  • Operational disruption – Identity and access management systems are critical infrastructure components whose compromise can halt business operations
  • Reputational damage – Public disclosure of successful attacks against security infrastructure can undermine customer confidence

How to Protect Your Systems

Organizations can take several actions to protect against similar attacks:

  1. Immediately patch Cisco ISE systems to the latest version that addresses CVE-2025-20337
  2. Update all Citrix NetScaler ADC and Gateway appliances to versions that fix CVE-2025-5777
  3. Consider implementing network segmentation to limit lateral movement if systems are compromised
  4. Deploy additional monitoring for unusual access patterns to these critical systems
  5. Review logs for any signs of previous compromise

The sophisticated nature of these attacks serves as a reminder that organizations must maintain vigilance even with fully patched systems, as zero-day vulnerabilities remain a significant threat vector for determined attackers.

This incident also highlights the value of honeypot networks and threat intelligence sharing in identifying new attack vectors before they become widespread, potentially saving countless organizations from compromise.

Proactive Defensive Measures

Security teams should consider implementing:

  • Network traffic analysis to identify unusual communication patterns with authentication systems
  • Behavior-based anomaly detection that can identify suspicious activities even when signatures aren't available
  • Regular third-party security assessments of critical infrastructure components to identify potential vulnerabilities before attackers do
  • Threat hunting exercises specifically focused on authentication and identity management systems
Editorial Team
You might also like

US-China Trade Deal: A New Hope for TikTok’s Future in America

Why Is My Ethernet Slower than Wi-Fi: Troubleshooting Slow Ethernet Speeds

Getting started with Business Intelligence (BI) Reporting

Pros and Cons of Instagram: Is Instagram Right for Your Business?

Feedback Request Templates to Boost Your Amazon Seller rating

Instagram Trial Reels: Expand Your Reach and Optimize Content Performance for…