Full Report
Amazon's threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware. "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure –
Analysis Summary
# Vulnerability: Exploitation of Zero-Days in Cisco ISE and Citrix NetScaler ADC
## CVE Details
- CVE ID: CVE-2025-5777
- CVSS Score: 9.3 (Critical)
- CWE: Insufficient Input Validation (Inferred)
- CVE ID: CVE-2025-20337
- CVSS Score: 10.0 (Critical)
- CWE: Improper Neutralization of Special Elements used in an OS Command (Inferred RCE)
## Affected Systems
- **CVE-2025-5777 (Citrix):**
- Products: Citrix NetScaler ADC and Gateway
- Versions: Not specified, but a patch was released in June 2025.
- **CVE-2025-20337 (Cisco):**
- Products: Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC)
- Versions: Not specified, but a patch was released in July 2025.
- **Configuration:** The exploits were pre-authentication in nature, affecting even well-configured, minimally exposed management portals.
## Vulnerability Description
**CVE-2025-5777 (Citrix NetScaler):** An insufficient input validation vulnerability that could allow an attacker to bypass authentication.
**CVE-2025-20337 (Cisco ISE):** An unauthenticated remote code execution (RCE) vulnerability affecting both Cisco ISE and ISE-PIC, allowing a remote attacker to execute arbitrary code on the underlying operating system with root privileges.
The threat actor chained these vulnerabilities, using CVE-2025-5777 to gain initial access (or reconnaissance) followed by leveraging CVE-2025-20337 to achieve deep system compromise on the Cisco ISE appliance.
## Exploitation
- Status: Exploited in the wild (Observed as zero-days targeting both products by an advanced threat actor).
- Complexity: Implied High, given the reliance on two separate zero-days and the subsequent deployment of highly custom malware.
- Attack Vector: Network (Pre-authentication access targeted critical network access control/identity infrastructure).
## Impact
- Confidentiality: High (Achieved root access, deployed web shell capable of monitoring all HTTP requests).
- Integrity: High (Arbitrary RCE possible, deployment of custom backdoor/web shell).
- Availability: Medium to High (System compromise and potential disruption of identity services).
## Remediation
### Patches
- **CVE-2025-5777 (Citrix):** Fixed by Citrix in June 2025. Organizations must apply the relevant update for NetScaler ADC and Gateway.
- **CVE-2025-20337 (Cisco):** Fixed by Cisco in July 2025. Organizations must apply the security updates for Cisco ISE and ISE-PIC.
### Workarounds
- Limit access to privileged management portals via firewalls or layered access controls.
- Implement comprehensive defense-in-depth strategies.
## Detection
- **Indicators of Compromise (IOCs):**
- Discovery of custom web shell artifacts disguised as legitimate Cisco ISE components (e.g., `IdentityAuditAction`).
- Malicious activity utilizing in-memory operations (Java reflection) within running threads on the Tomcat server of the ISE appliance.
- Use of DES encryption with non-standard Base64 encoding in C2 communications or payload delivery.
- **Detection Methods and Tools:**
- Focus on behavioral analysis for unusual process execution or unexpected file manipulations on ISE appliances.
- Monitor Tomcat server logs for anomalous injection activity or suspicious thread behavior (leveraging Java reflection).
## References
- Vendor Advisory (Citrix): Relevant advisory regarding CVE-2025-5777 (Patched June 2025).
- Vendor Advisory (Cisco): Relevant advisory regarding CVE-2025-20337 (Patched July 2025).
- Amazon Report: Regarding the observed exploitation campaign targeting both products.