Researchers uncovered an advanced persistent threat (APT) exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems (CitrixBleed2). The vulnerabilities, tracked as CVE-2025-20337 and CVE-2025-5777, were leveraged by the attackers to deploy custom malware. While CVE-2025-5777 has been previously covered, the zero-day exploitation of CVE-2025-20337 represents a new development.
Amazon’s honeypots first detected exploitation of a previously unknown Citrix vulnerability (now CVE-2025-5777, “Citrix Bleed Two”) before public disclosure, indicating active zero-day exploitation. During related activity, Amazon identified a separate exploit targeting Cisco ISE through an undocumented endpoint. This vulnerability, later designated CVE-2025-20337, involved insecure deserialization logic that allowed pre-authentication remote code execution and full administrative compromise.
Post-exploitation, attackers deployed a custom in-memory web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. The shell utilized Java reflection and Tomcat listeners to intercept HTTP requests, encrypting communications using DES with non-standard Base64 encoding. No IOCs have been published for this activity.