Ethical Hacking News
Advanced threat actors have successfully exploited two critical Citrix and Cisco vulnerabilities in a zero-day attack, demonstrating a high level of sophistication and expertise. Organizations are urged to apply security updates and limit access to edge network devices immediately.
Hackers exploited two critical vulnerabilities in Citrix's NetScaler ADC and Gateway, as well as Cisco's Identity Service Engine (ISE), to deploy custom malware. Citrix Bleed 2 (CVE-2025-5777) was discovered in June but not widely adopted, allowing threat actors to exploit it as a zero-day attack. A second vulnerability, CVE-2025-20337, had a maximum severity score and was published by Cisco on July 17, but its exploitation was initially denied. Both vulnerabilities were likely leveraged by APT actors before the vendors published their initial security bulletins. The attackers used a custom web shell to intercept requests and inject code into Tomcat server threads. Experts recommend applying security updates, limiting access to edge network devices, and staying vigilant against emerging threats.
In a devastating blow to the cybersecurity community, it has come to light that hackers have successfully exploited two critical vulnerabilities in Citrix's NetScaler ADC and Gateway, as well as Cisco's Identity Service Engine (ISE), to deploy custom malware. The zero-day attacks, which were carried out by an advanced threat actor, have left many organizations scrambling to patch the vulnerabilities before they can be exploited further.
The first vulnerability, known as Citrix Bleed 2 (CVE-2025-5777), was discovered in late June and had been published with a fix by Citrix. However, it appears that this fix was not widely adopted, allowing threat actors to exploit the vulnerability as a zero-day attack. The exploits were carried out using a previously undocumented endpoint in Cisco ISE, which used vulnerable deserialization logic.
The second vulnerability, CVE-2025-20337, had a maximum severity score and was published on July 17 by Cisco. The vendor warned that this flaw could be exploited to allow an unauthenticated attacker to store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices. Despite multiple third-party reports claiming that the vulnerability was being used in attacks, it wasn't until after a security briefing with Cisco that researchers began to look into the exploitability of this new vulnerability.
In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited, and on July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain. It appears that both vulnerabilities were leveraged by APT actors before Cisco and Citrix published their initial security bulletins.
The hackers employed a custom web shell named "IdentityAuditAction," disguised as a legitimate ISE component, to intercept all requests and use Java reflection to inject into Tomcat server threads. The web shell registered with HTTP headers that are not standard, required specific knowledge of the HTTP protocol to access, and left minimal forensic traces behind.
The exploits demonstrate a high level of sophistication and advanced knowledge of both Citrix and Cisco's technologies. It is likely that this attack was carried out by a well-resourced threat actor with extensive expertise in Java/Tomcat internals and the Cisco ISE architecture.
It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, as well as limit access to edge network devices through firewalls and layering. By doing so, organizations can reduce their risk of falling victim to this new zero-day attack vector.
In conclusion, the recent Citrix-Cisco ISE zero-day exploits highlight the importance of staying up-to-date with security patches and taking proactive measures to protect against emerging threats. As threat actors continue to evolve and improve their tactics, it is crucial for organizations to remain vigilant and take immediate action when vulnerabilities are discovered.
Advanced threat actors have successfully exploited two critical Citrix and Cisco vulnerabilities in a zero-day attack, demonstrating a high level of sophistication and expertise. Organizations are urged to apply security updates and limit access to edge network devices immediately.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-Ground-Zero-Unraveling-the-Citrix-Cisco-ISE-Zero-Day-Exploits-ehn.shtml
Published: Wed Nov 12 08:25:22 2025 by llama3.2 3B Q4_K_M
