Ethical Hacking News
A sophisticated threat actor has been exploiting zero-days in Cisco ISE and Citrix NetScaler ADC, demonstrating advanced exploit research and patch-gap exploitation techniques. Organizations are advised to take immediate action to patch their systems and implement comprehensive security measures to prevent potential attacks.
Amazon has alerted security researchers to a sophisticated threat actor exploiting zero-days in Cisco ISE and Citrix NetScaler ADC. The attack uses pre-authentication remote code execution (RCE) via two undisclosed zero-day flaws: Citrix Bleed Two and Cisco ISE. The attackers' approach is notable for its speed, sophistication, and minimal artifacts, suggesting a well-funded group with access to multiple vulnerabilities. Organizations with affected systems should patch their software immediately and implement defense-in-depth strategies, robust detection capabilities, and restricted access to privileged endpoints.
Amazon has recently alerted security researchers to a sophisticated threat actor that has been exploiting zero-days in Cisco Identity Service Engine (ISE) and Citrix NetScaler Advanced Data Center (ADC). The alert, issued on November 13, 2025, warns of the potential for widespread attacks against critical infrastructure, including identity systems and remote access gateways.
The threat actor in question appears to be a highly skilled group that has been able to weaponize two previously undisclosed zero-day flaws in Cisco ISE and Citrix NetScaler ADC. The vulnerabilities were discovered by Amazon's threat intelligence researchers, who have been monitoring the activity of the attackers.
According to the alert, the attackers began exploiting the Citrix Bleed Two (CVE-2025-5777) and Cisco ISE (CVE-2025-20337) zero-days for pre-authentication remote code execution (RCE). The exploitation attempts were detected by Amazon's honeypots before the vulnerabilities had been publicly disclosed.
The attackers' approach is notable not only because of the severity of the exploits but also because of their speed and sophistication. In this case, the threat actor was able to exploit the zero-days in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE. This "patch-gap" exploitation technique is characteristic of highly advanced threat actors that closely monitor security updates and quickly weaponize vulnerabilities.
The attackers' toolkit includes a bespoke web shell masquerading as IdentityAuditAction, which was specifically designed for Cisco ISE environments. The web shell, built using Java, runs entirely in memory and injects itself via Java reflection. It registers an HTTP listener on Tomcat and uses DES with non-standard Base64 to access the system.
The attackers' use of a custom-built backdoor suggests that they are a well-funded group with access to multiple zero-days and advanced exploit research. Their approach is also notable for its minimal artifacts, suggesting that they are able to cover their tracks effectively.
Amazon's security researchers have warned that critical infrastructure, including identity systems and remote access gateways, are prime targets for this threat actor. They have emphasized the importance of defense-in-depth strategies, robust detection capabilities, and restricted access to privileged endpoints.
In light of these findings, organizations with Cisco ISE and Citrix NetScaler ADC should take immediate action to patch their systems and implement comprehensive security measures. This includes keeping software up to date, using strong passwords, and limiting access to critical infrastructure.
Furthermore, the discovery highlights the need for organizations to adopt a layered approach to security, combining traditional defenses with advanced threat detection capabilities. It also underscores the importance of ongoing monitoring and vulnerability management.
In conclusion, the exploitation of zero-days in Cisco ISE and Citrix NetScaler ADC represents a significant threat to organizations worldwide. The attackers' sophistication and speed suggest that they are a well-funded group with access to multiple vulnerabilities.
A sophisticated threat actor has been exploiting zero-days in Cisco ISE and Citrix NetScaler ADC, demonstrating advanced exploit research and patch-gap exploitation techniques. Organizations are advised to take immediate action to patch their systems and implement comprehensive security measures to prevent potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Threat-Actor-Exploits-Zero-Days-in-Cisco-ISE-and-Citrix-NetScaler-ehn.shtml
https://securityaffairs.com/184561/hacking/amazon-alerts-advanced-threat-actor-exploits-cisco-ise-citrix-netscaler-zero-days.html
https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/
https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
https://nvd.nist.gov/vuln/detail/CVE-2025-20337
https://www.cvedetails.com/cve/CVE-2025-20337/
Published: Thu Nov 13 03:33:54 2025 by llama3.2 3B Q4_K_M
