Full Report
An advanced threat actor exploited the critical vulnerabilities "Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware. [...]
Analysis Summary
# Vulnerability: Zero-Day Exploitation of Citrix NetScaler and Cisco ISE by Advanced Actor
## CVE Details
- CVE ID: CVE-2025-5777 (Citrix Bleed 2)
- CVSS Score: [Score not provided in text] (Critical - Implied by context: Exploited as zero-day)
- CWE: Out-of-bounds memory read (Inferred from description for CVE-2025-5777)
- CVE ID: CVE-2025-20337
- CVSS Score: Maximum severity score (Critical - Implied by context)
- CWE: Deserialization Logic Flaw (Inferred from description for CVE-2025-20337)
## Affected Systems
- Products: NetScaler ADC and Gateway (for CVE-2025-5777); Cisco Identity Service Engine (ISE) (for CVE-2025-20337)
- Versions: Not specified, but the flaws were exploited prior to disclosure/patching events in late June/July 2025.
- Configurations: Edge network devices, exposed internet-facing instances.
## Vulnerability Description
**CVE-2025-5777 (Citrix Bleed 2):** An out-of-bounds memory read issue impacting NetScaler ADC and Gateway. Exploitation allowed attackers to leverage this flaw before patches were available.
**CVE-2025-20337 (Cisco ISE):** A critical vulnerability affecting Cisco ISE that involved vulnerable deserialization logic. Exploitation allowed an unauthenticated attacker to store malicious files, execute arbitrary code, or gain root privileges. Specifically, exploitation led to pre-authentication admin access.
## Exploitation
- Status: Exploited in the wild (Detected as zero-day exploitation prior to public disclosure).
- Complexity: High (Implied by the advanced nature of the threat actor and the custom malware deployment).
- Attack Vector: Network (Implied by the nature of the products and RCE/preamble exploitation).
## Impact
- Confidentiality: High (Custom malware deployed; potential for accessing internal data).
- Integrity: High (Arbitrary code execution, root privileges gained on ISE, custom web shell deployment).
- Availability: High (Impact through malware deployment and system compromise).
## Remediation
### Patches
- **CVE-2025-5777:** Vendor fixes were published in late June [2025]. Users are recommended to apply security updates.
- **CVE-2025-20337:** Vendor patches were published around July 17, 2025. Users are recommended to apply security updates.
### Workarounds
- Limit access to edge network devices through firewalls and layering until patches are applied.
## Detection
- **Indicators of Compromise (IOCs):** Threat actors deployed a custom web shell named ‘IdentityAuditAction’ on compromised ISE endpoints. This shell registered an HTTP listener, performed Java reflection injection into Tomcat server threads, and used DES encryption with non-standard base64 encoding for obfuscation.
- **Detection Methods and Tools:** Analyze network traffic for anomalous requests targeting undocumented ISE endpoints. Monitor Tomcat server threads for unusual Java reflection activity or unauthorized HTTP listeners. Look for evidence of DES encryption/non-standard base64 encoded payloads in logs.
## References
- Vendor Advisory (Citrix/NetScaler): Mentioned fixes in late June 2025.
- Vendor Advisory (Cisco ISE): Mentioned advisories published around July 17, 2025.
- Relevant links - defanged:
- hxxps://nvd.nist.gov/vuln/detail/CVE-2025-5777
- hxxps://nvd.nist.gov/vuln/detail/CVE-2025-20337