Full Report
The hackers notably used custom malware and were exploiting CVE-2025-5777 — now known colloquially as “Citrix Bleed Two” — before it was disclosed publicly in July.
Analysis Summary
# Vulnerability: Zero-Day Exploitation of Citrix NetScaler and Cisco ISE
This summary synthesizes information regarding two vulnerabilities actively exploited as zero-days by a sophisticated threat actor before public disclosure, dubbed "Citrix Bleed Two" and an undocumented vulnerability in Cisco ISE.
## CVE Details
- **CVE ID:** CVE-2025-5777 (Citrix Bleed Two) and CVE-2025-20337 (Cisco ISE)
- **CVSS Score:** Not explicitly stated in the text. (Severity inference: Very High, based on pre-disclosure exploitation and RCE capability)
- **CWE:** Not specified.
## Affected Systems
- **Products:**
* Citrix NetScaler ADC and NetScaler Gateway appliances
* Cisco Identity Service Engine (ISE)
- **Versions:** Specific vulnerable versions for both CVEs were not detailed, only that exploitation occurred before comprehensive patches were released across *all affected branches* of Cisco ISE.
- **Configurations:** The Citrix vulnerability specifically affects customers who manage their own NetScaler ADC and NetScaler Gateway appliances.
## Vulnerability Description
**CVE-2025-5777 ("Citrix Bleed Two"):** A pre-disclosure, in-the-wild zero-day vulnerability in Citrix NetScaler products that was actively exploited.
**CVE-2025-20337 (Cisco ISE):** An undocumented vulnerability in Cisco Identity Service Engine (ISE) that, once exploited, provided an attacker with **administrator-level access** to compromised systems. Exploitation occurred prior to Cisco assigning a CVE number or releasing comprehensive patches.
## Exploitation
- **Status:** **Exploited in the wild** (as zero-days, prior to public disclosure in July/June).
- **Complexity:** **High** (Indicated by the sophisticated custom malware, application of patch-gap exploitation, and advanced zero-day research capability required).
- **Attack Vector:** Likely network-based, targeting the network access control/gateway infrastructure.
## Impact
- **Confidentiality:** High (Implied by granting administrator access and use of custom backdoors)
- **Integrity:** High (Implied by granting administrator access and installing custom backdoors)
- **Availability:** Medium to High (Compromise of core identity and security enforcement infrastructure)
## Remediation
### Patches
- **CVE-2025-5777 (Citrix Bleed Two):** Patches were reportedly released publicly in July. (Specific version details not provided).
- **CVE-2025-20337 (Cisco ISE):** Cisco released patches after assigning the CVE in June. At the time of discovery, comprehensive patches were *not* available across all affected branches.
### Workarounds
- No specific workarounds were listed in the provided text beyond the urgent need to apply the vendor patches.
## Detection
- **Indicators of Compromise:** Use of **custom-built backdoors** specifically made for Cisco ISE environments with sophisticated evasion capabilities and minimal forensic artifacts.
- **Detection Methods and Tools:** Amazon Threat Intelligence identified the anomalous payload targeting the undocumented endpoint in Cisco ISE. Monitoring for unauthorized administrative access to networking/identity infrastructure is critical.
## References
- Vendor Advisory (Cisco): hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
- Vendor Advisory (Citrix): Related to the "Citrix Bleed 2" vulnerability (No specific ID provided, Patch timeline referenced as July disclosure).
- Research Context: aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/