Full Report
Researchers uncovered an advanced persistent threat (APT) exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems (CitrixBleed2). The vulnerabilities, tracked as CVE-2025-20337 and CVE-2025-5777, were leveraged by the attackers to deploy ...
Analysis Summary
# Incident Report: APT Exploitation of Cisco ISE Zero-Day
## Executive Summary
An Advanced Persistent Threat (APT) actor was discovered exploiting two co-occurring vulnerabilities (one being a zero-day, CVE-2025-20337) in Cisco Identity Services Engine (ISE) and Citrix systems to gain initial access. The exploitation of the Cisco ISE vulnerability led to pre-authentication Remote Code Execution (RCE), allowing the attackers to deploy custom in-memory web shells for persistent access and subsequent data exfiltration. The activity was detected via Amazon's threat monitoring infrastructure.
## Incident Details
- **Discovery Date:** Prior to November 13, 2025 (detected via honeypots related to Citrix)
- **Incident Date:** Active exploitation occurred prior to discovery/reporting.
- **Affected Organization:** Undisclosed (Targeted systems included Cisco ISE and Citrix environments).
- **Sector:** General/Cross-sector (Based on platform utility).
- **Geography:** Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Active exploitation detected prior to CVE assignments/disclosure).
- **Vector:** Zero-day vulnerability (CVE-2025-20337) in Cisco ISE, and a known vulnerability (CVE-2025-5777 / CitrixBleed2) in Citrix systems.
- **Details:** The primary vector detailed was an insecure deserialization logic vulnerability in Cisco ISE that allowed pre-authentication Remote Code Execution (RCE) leading to full administrative compromise.
### Lateral Movement
- **How attackers moved through network:** Attackers deployed a custom, in-memory web shell (disguised as `IdentityAuditAction`) post-exploitation to maintain persistence and control.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Data exfiltration was listed as the observed impact. The web shell was used to intercept and encrypt HTTP communications (using DES with non-standard Base64) for potential credential harvesting or data theft.
### Detection & Response
- **How it was discovered:** Amazon's honeypots first detected the exploitation of the Citrix vulnerability, identifying related activity that pointed toward the separate, undocumented zero-day exploit targeting Cisco ISE.
- **Response actions taken:** The report indicates discovery and analysis, but specific containment/eradication actions taken by the affected organizations are not detailed in this context.
## Attack Methodology
- **Initial Access:** Exploitation of zero-day vulnerability CVE-2025-20337 (Cisco ISE - Insecure Deserialization leading to RCE) and exploitation of CVE-2025-5777 (Citrix).
- **Persistence:** Deployment of a custom in-memory web shell named `IdentityAuditAction`, utilizing Java reflection and leveraging Tomcat listeners.
- **Privilege Escalation:** Achieved full administrative compromise of the Cisco ISE system via pre-authentication RCE.
- **Defense Evasion:** The custom malware (web shell) was disguised as a legitimate Cisco ISE component (`IdentityAuditAction`). Communications were encrypted using DES with non-standard encoding.
- **Credential Access:** Implied through web request interception capabilities.
- **Discovery:** Not explicitly detailed, but likely involved reconnaissance after initial foothold using administrative access.
- **Lateral Movement:** Not explicitly detailed beyond establishing persistence via the web shell.
- **Collection:** Intercepting HTTP requests using the custom web shell.
- **Exfiltration:** Encrypting collected data using DES with non-standard Base64 encoding before transmission.
- **Impact:** Data exfiltration and system compromise.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive data likely targeted or exfiltrated (details unspecified).
- **Operational:** Administrative compromise of critical network access control systems (Cisco ISE) indicates high operational risk.
- **Reputational:** Not disclosed.
## Indicators of Compromise
- **Network indicators (defanged):** None publicly disclosed at the time of the summary source document.
- **File indicators:** Custom in-memory web shell named `IdentityAuditAction`.
- **Behavioral indicators:** Use of Java reflection and Tomcat listeners to maintain a backdoor; HTTP communication encryption scheme using DES with non-standard Base64 encoding.
## Response Actions
- **Containment measures:** Not detailed in the source. Primary response seems to have been vulnerability analysis and public disclosure.
- **Eradication steps:** Not detailed in the source.
- **Recovery actions:** Not detailed in the source.
## Lessons Learned
- **Key takeaways:** Critical infrastructure components (like ISE) are high-value targets for APTs seeking initial or persistent access into enterprise networks. Zero-day exploitation in core network services (authentication/access control) poses an immediate, critical threat.
- **What could have been done better:** Need for rapid patching cycles for known vulnerabilities (CVE-2025-5777) and enhanced endpoint/memory monitoring to detect in-memory malware injection/reflection techniques.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately patch all instances of Cisco ISE against CVE-2025-20337 (once fixed) and Citrix NetScaler against CVE-2025-5777.
2. Implement stringent memory scanning and behavioral monitoring on critical servers (especially identity management infrastructure) to detect custom, in-memory web shells and reflective code execution.
3. Review network segmentation to limit the impact of RCE on critical control plane components like ISE.