Amazon’s threat intelligence division has uncovered a sophisticated campaign in which an advanced threat actor exploited a high-risk vulnerability in NetScaler ADC and Gateway (CVE-2025-5777, aka “Citrix Bleed 2”), and CVE-2025-20337 in Cisco Identity Services Engine (ISE)—to deploy stealthy custom malware.
According to Amazon, data from its MadPot honeypot network revealed exploitation attempts for the Citrix vulnerability before it was publicly disclosed, indicating the attackers had access to the flaw as a zero-day. Further analysis uncovered related payloads targeting a vulnerable deserialization endpoint in Cisco ISE, also exploited prior to Cisco’s security advisory.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” Amazon wrote in a blog post. “Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic. This vulnerability, now designated as CVE-2025-20337, allowed the threat actors to achieve pre-authentication remote code execution on Cisco ISE deployments, providing administrator-level access to compromised systems.”
Citrix Bleed 2, patched in late June, is an out-of-bounds memory read vulnerability in NetScaler ADC and Gateway appliances, exploits for which surfaced publicly in early July.
The CVE-2025-20337 flaw allows unauthenticated attackers to execute arbitrary code or gain root privileges. Cisco confirmed in late July that the vulnerability was being exploited in the wild.
Both vulnerabilities were used together in advanced persistent threat (APT) operations before Citrix and Cisco issued their initial advisories. Attackers leveraged the Cisco flaw to gain pre-authentication administrative access and installed a custom web shell called “IdentityAuditAction,” masquerading as a legitimate ISE component.
The backdoor acted as an HTTP listener to intercept traffic, using Java reflection to inject into Tomcat server threads and DES encryption with custom Base64 encoding. Access required specific HTTP headers, and the tool left minimal forensic evidence.
Amazon did not link the activity to any known threat group in its report. Organizations are strongly advised to immediately apply patches for both CVE-2025-5777 and CVE-2025-20337 and to restrict access to edge network devices through firewalls and layered defenses.