Amazon’s threat intelligence team discovered that attacker exploiting previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. This campaign utilized custom malware and showed access to various hidden vulnerabilities, indicating a trend where attackers target essential identity and network access controls.
Amazon’s MadPot honeypot service identified exploitation attempts of the Citrix Bleed Two vulnerability (CVE-2025-5777) before it was publicly disclosed, revealing that a threat actor was exploiting it as a zero-day.
Amazon Threat Intelligence, after investigating a threat that exploits the Citrix vulnerability, found an unusual payload aimed at an undocumented endpoint in Cisco ISE that utilized vulnerable deserialization logic and shared this information with Cisco.
This vulnerability, now designated as CVE-2025-20337, allowed the threat actors to achieve pre-authentication remote code execution on Cisco ISE deployments, providing administrator-level access to compromised systems. What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE. This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.
Following successful exploitation, the threat actor deployed a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments. The web shell demonstrated advanced evasion capabilities. It operated completely in-memory, leaving minimal forensic artifacts, used Java reflection to inject itself into running threads, registered as a listener to monitor all HTTP requests across the Tomcat server, implemented DES encryption with non-standard Base64 encoding to evade detection, and required knowledge of specific HTTP headers to access.
The following is a snippet of the deserialization routine showing the actor’s extensive authentication to access their web shell:

Amazon Threat Intelligence found that a threat actor was using the zero-days CVE-2025-20337 and CVE-2025-5777, targeting the internet indiscriminately during our investigation.
The campaign highlighted the changing methods of attackers targeting vital enterprise systems at the network edge. The attackers used custom tools showing their expertise in enterprise Java applications, Tomcat, and Cisco Identity Service Engine architecture. Their access to multiple unpublished zero-day exploits suggests they possess significant resources and advanced vulnerability research skills.
For security teams, this serves as a reminder that critical infrastructure components like identity management systems and remote access gateways remain prime targets for threat actors. The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected. This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns. Amazon recommends limiting access, through firewalls or layered access, to privileged security appliance endpoints such as management portals
InfoSecBulletin Cybersecurity for mankind
