In a chilling revelation from Amazon’s threat intelligence team, sophisticated hackers are weaponizing undisclosed zero-day flaws in critical enterprise tools from Cisco and Citrix.
Dubbed as part of an ongoing campaign, these attackers are targeting identity and access management systems the digital gatekeepers that control who enters corporate networks.
The exploits, involving custom malware and webshells, highlight a dangerous trend: threat actors zeroing in on network edge infrastructure to bypass traditional defenses.
This isn’t opportunistic hacking; it’s a calculated assault on the foundations of organizational security, potentially exposing sensitive data and enabling widespread lateral movement.
The vulnerabilities in question are severe. For Citrix, the attackers leverage CVE-2025-5777, a flaw in NetScaler ADC and Gateway systems often called “Citrix Bleed Two.”
This zero-day allows remote code execution without authentication, letting intruders inject malicious code into servers handling secure remote access.
Meanwhile, in Cisco’s Identity Services Engine (ISE) a platform for enforcing network policies the undiscovered CVE-2025-20337 enables pre-authentication remote code execution via vulnerable deserialization logic.
Amazon’s MadPot honeypot service first spotted the Citrix exploit attempts before public disclosure, underscoring how these threats lurk in the shadows, exploiting gaps before vendors can react.
Unmasking The Initial Discovery and Exploitation Tactics
Amazon’s investigation began with anomalous traffic hitting their honeypots, revealing the Citrix zero-day in action.
Digging deeper, the team uncovered the Cisco ISE payload: a sneaky probe hitting undocumented endpoints to trigger deserialization bugs.
This allowed attackers to gain admin-level access on unpatched systems, a feat made more alarming by the fact that exploitation predated Cisco’s CVE assignment and full patching across ISE branches.
What sets this apart is the attackers’ precision. They monitored vendor update cycles closely, striking during “patch gaps” when not all systems were fortified.
This tactic demands insider-level knowledge of Java applications, Tomcat servers, and enterprise architectures.
The campaign’s indiscriminate scanning of internet-facing targets suggests a broad, opportunistic sweep, but the custom tooling points to a well-resourced APT group possibly state-sponsored with advanced vulnerability research chops.
Early indicators included unusual HTTP requests and payloads mimicking legitimate traffic, evading basic intrusion detection.
Deploying Custom Webshells: Evasion and Security Fallout
Post-exploitation, the hackers deploy a bespoke webshell masquerading as a Cisco ISE component called “IdentityAuditAction.”
This isn’t generic malware; it’s a tailored backdoor engineered for stealth. Running entirely in memory, it leaves scant forensic traces.
Using Java reflection, it hooks into active threads, monitors all Tomcat HTTP requests, and employs DES encryption with quirky Base64 variants to scramble communications.
Access requires specific HTTP headers, adding another layer of obfuscation.
A code snippet from the deserialization routine illustrates their cunning: it decodes payloads with a hardcoded key (“d384922c”), instantiates classes dynamically, and processes requests without alerting logs.
This webshell grants persistent control, ideal for data exfiltration or further pivoting.
The implications are stark. These flaws target high-value assets in identity and remote access, amplifying risks in hybrid work environments.
Unpatched systems could lead to full network compromise, ransomware deployment, or espionage.
Amazon notes the attackers’ focus on “critical infrastructure at the network edge,” urging defense-in-depth: segment management portals behind firewalls, monitor for anomalous deserialization, and patch aggressively using vendor bulletins like Citrix’s CTX693420 and Cisco’s advisory.
Security teams must prioritize zero-trust models, behavioral analytics, and regular vulnerability scans.
As AI-driven threats evolve, staying ahead means treating every endpoint as a potential zero-day vector.
This incident reinforces that even fortified setups demand vigilance hackers are already inside the wire.
.webp?w=356&resize=356,220&ssl=1 "CISA Alerts On Exploited WatchGuard Firebox Out-of-Bounds Write Vulnerability")
