The Amazon Threat Intelligence team has now disclosed an advanced persistent threat (APT) campaign that exploited vulnerabilities in Citrix systems and Cisco’s Identity Service Engine (ISE), allowing hackers to breach critical identity infrastructure even before the flaws were made publicly known.
According to Amazon’s findings, attackers had exploited “insufficient input validation” in a public API to inject a custom web shell disguised as a native Cisco ISE component, operating entirely in-memory, leveraging Java reflection and non-standard decoding routines to evade detection.
The other flaw abused in the campaign, dubbed Citrix Bleed 2, affected Citrix NetScaler ADC and NetScaler Gateway devices to allow memory overread via a similar input validation issue.
“This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure—the systems enterprises rely on to enforce security policies and manage authentication across their networks,” CJ Moses, the CISO of Amazon Integrated Security, said in a blog post.
Citrix wasn’t aware of the flaw being exploited as zero-days when they disclosed and patched them earlier this year. The Cisco ISE flaw, however, was flagged by the company as well as CISA for known exploitation attempts in the wild.
Tooling and exploitation
Amazon’s honeypot service “Madpot” first detected exploitation attempts against the Citrix vulnerability (CVE-2025-5777) prior to its public disclosure–suggesting weaponization in the wild. Further investigation revealed anomalous payloads targeting an undocumented endpoint in Cisco ISE, exploiting vulnerable deserialization logic to achieve pre-authentication remote-code execution (CVE-2025-20337).
“What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE,” Moses said. “This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.“
Amazon did not immediately respond to CSO’s queries on why it’s sharing information about the zero-day exploits months after.
After gaining access, the actor deployed a tailor-made web shell disguised as the “IdentityAuditAction” component of Cisco ISE. It ran entirely in memory, registered as an HTTP listener in the Tomcat server, used DES encryption with non-standard Base-64 encoding, and required specific HTTP headers for access.
Implication for enterprise defense
The attack challenges assumptions that identity management and network-access systems are inherently secure. The pre-authentication nature of these exploits, the blog noted, reveals that even well-configured and meticulously maintained systems can be affected.
“The campaign underscored the evolving tactics of threat actors targeting critical enterprise infrastructure at the network edge,” Moses said. “The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of the Cisco Identity Service Engine.”
Amazon recommends organizations adopt a layered defence, which includes limiting access to privileged security appliance endpoints (firewall, proxies, access gateways), employing monitoring for unusual in-memory activity, and treating identity systems as high-risk zones subject to the same scrutiny as public-facing servers.
The revelation fits into a broader pattern of attackers moving to remote-access and identity infrastructure, a trend that first came into focus during the Citrix Bleed wave in late 2023, when credential harvesting exploits against Citrix ADC and Gateway appliances fuelled widespread intrusions.
Since then, more such campaigns have emerged, including one by Scattered Spider involving a help-desk hack enabling access to the C-suite’s identity infrastructure (Microsoft Entra ID/ Active Directory).
No Responses