Amazon alerts: advanced threat actor exploits Cisco ISE & Citrix NetScaler zero-days

Amazon warns that an advanced threat actor exploited zero-days in Cisco ISE and Citrix NetScaler to deploy custom malware.

Amazon’s threat intelligence researchers spotted an advanced threat actor exploiting two previously undisclosed zero-day flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC to deliver custom malware.

Attackers also exploited multiple undisclosed vulnerabilities.

Amazon’s honeypots revealed exploitation attempts of the Citrix Bleed Two (CVE-2025-5777) and Cisco ISE (CVE-2025-20337) for pre-auth RCE before public disclosure.

“What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE.” reads the advisory published by Amazon. “This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.”

One exploited Cisco ISE, the actor installed a bespoke web shell masquerading as IdentityAuditAction. Built for ISE, it ran fully in-memory, injected via Java reflection, and registered an HTTP listener on Tomcat.

“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments.” states the report.

The web shell used DES with nonstandard Base64, required specific headers for access, and left minimal artifacts. The deserialization routine decoded a payload, defined or instantiated a proxy class, and executed it. The actor showed expert knowledge of Java, Tomcat, and Cisco ISE internals, suggesting a well-funded group with access to multiple zero-days and advanced exploit research.

Amazon security researchers warn that critical infrastructure, including identity systems and remote access gateways, are prime targets. Even well-maintained systems are at risk, highlighting the need for defense-in-depth, robust detection, and restricted access to privileged endpoints.

“The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected.” concludes the report. “This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco ISE)