Zero-day attacks against Cisco ISE, Citrix NetScaler observed

Threat actors have harnessed the critical Citrix Bleed 2 flaw in Citrix NetScaler ADC and Gateway, tracked as CVE-2025-5777, and the maximum severity remote code execution bug in Cisco Identity Services Engine, tracked as CVE-2025-20337, in zero-day intrusions facilitating custom malware distribution, The Hacker News reports.

Additional investigation into the exploitation of Citrix Bleed 2 in May discovered by Amazon's MadPot honeypot network shed light on the subsequent abuse of CVE-2025-20337 to launch a web shell masquerading as the IdentityAuditAction component of Cisco ISE, according to Amazon's threat intelligence team. Researchers found that the web shell, which leverages Java reflection for self-injection in operating threads, also tracks HTTP requests to the Tomcat server, while adopting DES encryption for stealth.

"The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected. This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns," said Amazon Integrated Security Chief Information Security Officer CJ Moses.