{"id":5780,"date":"2025-11-13T12:15:39","date_gmt":"2025-11-13T12:15:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5780"},"modified":"2025-11-13T12:15:39","modified_gmt":"2025-11-13T12:15:39","slug":"zero-day-exploits-hit-cisco-ise-and-citrix-systems-in-an-advanced-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5780","title":{"rendered":"Zero-day exploits hit Cisco ISE and Citrix systems in an advanced campaign"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The Amazon Threat Intelligence team has now disclosed an advanced persistent threat (APT) campaign that exploited vulnerabilities in Citrix systems and Cisco\u2019s Identity Service Engine (ISE), allowing hackers to breach critical identity infrastructure even before the flaws were made publicly known.<\/p>\n

According to Amazon\u2019s findings, attackers had exploited \u201cinsufficient input validation\u201d in a public API to inject a custom web shell disguised as a native Cisco ISE component, operating entirely in-memory, leveraging Java reflection and non-standard decoding routines to evade detection.<\/p>\n

The other flaw abused in the campaign, dubbed Citrix Bleed 2, affected Citrix NetScaler ADC and NetScaler Gateway devices to allow memory overread via a similar input validation issue.<\/p>\n

\u201cThis discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure\u2014the systems enterprises rely on to enforce security policies and manage authentication across their networks,\u201d CJ Moses, the CISO of Amazon Integrated Security, said in a blog post.<\/p>\n

Citrix wasn\u2019t aware of the flaw being exploited as zero-days when they disclosed and patched them earlier this year<\/a>. The Cisco ISE flaw, however, was flagged by the company<\/a> as well as CISA<\/a> for known exploitation attempts in the wild.<\/p>\n

Tooling and exploitation<\/h2>\n

Amazon\u2019s honeypot service \u201cMadpot<\/a>\u201d first detected exploitation attempts against the Citrix vulnerability (CVE-2025-5777<\/a>) prior to its public disclosure\u2013suggesting weaponization in the wild. Further investigation revealed anomalous payloads targeting an undocumented endpoint in Cisco ISE, exploiting vulnerable deserialization logic to achieve pre-authentication remote-code execution (CVE-2025-20337<\/a>).<\/p>\n

\u201cWhat made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE,\u201d Moses said<\/a>. \u201cThis patch-gap<\/em> exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.\u201c<\/p>\n

Amazon did not immediately respond to CSO\u2019s queries on why it\u2019s sharing information about the zero-day exploits months after.<\/p>\n

After gaining access, the actor deployed a tailor-made web shell disguised as the \u201cIdentityAuditAction\u201d component of Cisco ISE. It ran entirely in memory, registered as an HTTP listener in the Tomcat server, used DES encryption with non-standard Base-64 encoding, and required specific HTTP headers for access.<\/p>\n

Implication for enterprise defense<\/h2>\n

The attack challenges assumptions that identity management and network-access systems are inherently secure. The pre-authentication nature of these exploits, the blog noted, reveals that even well-configured and meticulously maintained systems can be affected.<\/p>\n

\u201cThe campaign underscored the evolving tactics of threat actors targeting critical enterprise infrastructure at the network edge,\u201d Moses said. \u201cThe threat actor\u2019s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of the Cisco Identity Service Engine.\u201d<\/p>\n

Amazon recommends organizations adopt a layered defence, which includes limiting access to privileged security appliance endpoints (firewall, proxies, access gateways), employing monitoring for unusual in-memory activity, and treating identity systems as high-risk zones subject to the same scrutiny as public-facing servers.<\/p>\n

The revelation fits into a broader pattern of attackers moving to remote-access and identity infrastructure, a trend that first came into focus during the Citrix Bleed<\/a> wave in late 2023, when credential harvesting exploits against Citrix ADC and Gateway appliances fuelled widespread intrusions. <\/p>\n

Since then, more such campaigns have emerged, including one by Scattered Spider involving a help-desk hack<\/a> enabling access to the C-suite\u2019s identity infrastructure (Microsoft Entra ID\/ Active Directory).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The Amazon Threat Intelligence team has now disclosed an advanced persistent threat (APT) campaign that exploited vulnerabilities in Citrix systems and Cisco\u2019s Identity Service Engine (ISE), allowing hackers to breach critical identity infrastructure even before the flaws were made publicly known. According to Amazon\u2019s findings, attackers had exploited \u201cinsufficient input validation\u201d in a public API […]<\/p>\n","protected":false},"author":0,"featured_media":5781,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5780"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5780"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5780\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5781"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}