Summary:
Amazon’s threat intelligence team, found a advanced persistent threat actor abusing two critical vulnerabilities “Citrix Bleed 2" CVE-2025-5777 in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.

Using their “MadPot” honeypot, the researchers were able to detect exploitation attempts for the Citrix Bleed Two vulnerability CVE-2025-5777 prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day.

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic. (Amazon, 2025).”

Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June. The flaw in ISE CVE-2025-20337, received a maximum severity score, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.

Security Officer Comments:
The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component. The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads. It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.

Amazon was unable to attribute this activity to any specific threat actor. The actor showed a high level of sophistication and knowledge of Java/Tomcat internals and the Cisco ISE architecture. The targeting of organizations did not provide any clues to which threat actor may have been behind the exploits.

Suggested Corrections:
You must upgrade your vulnerable NetScaler ADC and NetScaler Gateway instances to one of the following fixed versions (or later):

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS

Note: Versions 12.1 and 13.0 are End-Of-Life (EOL) and are vulnerable. Customers must upgrade to a supported, patched version.

Because the vulnerability allows attackers to steal active session tokens, simply patching is not enough. You must terminate all existing sessions to invalidate any tokens that may have been compromised:

1. Execute commands on the NetScaler to kill all active sessions:
   1. kill icaconnection -all
   2. kill vpn -all
2. Force all users to re-authenticate.
3. Rotate all administrative credentials that may have been used on or through the NetScaler device.

Link(s):

https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/