Key Findings

• Amazon's threat intelligence team observed an advanced persistent threat group exploiting zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products before the vendors disclosed and patched the issues.

• The attacks leveraged the following vulnerabilities:

• CVE-2025-5777 (CVSS score: 9.3) - An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited to bypass authentication. (Fixed by Citrix in June 2025)

• CVE-2025-20337 (CVSS score: 10.0) - An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root. (Fixed by Cisco in July 2025)

• The threat actor used custom malware with a backdoor specifically designed for Cisco ISE environments, demonstrating advanced evasion techniques.

Background

Amazon's MadPot honeypot service detected active exploitation of the critical vulnerabilities, leading the company's threat intelligence team to investigate further. Through their analysis, they determined that a highly resourced threat actor was behind the attacks.

Threat Actor Capabilities

• The threat actor's custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of the Cisco ISE.

• The use of multiple zero-day exploits indicates the attackers have advanced vulnerability research capabilities or access to undisclosed vulnerability information.

• The web shell used in the attacks was designed to fly under the radar, operating entirely in memory and using Java reflection to inject itself into running threads.

• The web shell also registered as a listener to monitor all HTTP requests across the Tomcat server and implemented DES encryption with non-standard Base64 encoding to evade detection.

Attack Objectives and Impact

• Amazon assesses with high confidence that the same threat actor was observed exploiting both vulnerabilities.

• The threat group's use of multiple zero-day exploits suggests their objective was to gain prolonged access to the target for espionage purposes.

• The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected, underscoring the importance of implementing comprehensive defense-in-depth strategies and robust detection capabilities.

Vendor Response and Mitigation

• Cisco disclosed CVE-2025-20337 on June 25, but Amazon said exploitation was already underway in May.

• Citrix disclosed CVE-2025-5777 on June 17, with the Cybersecurity and Infrastructure Security Agency adding the exploit to its known exploited vulnerabilities catalog on July 10.

• Amazon disclosed the active exploitation of the Cisco vulnerability to the vendor, which informed its customers of the issue within hours.

• Organizations should prioritize patching these vulnerabilities and implement additional security measures to protect their identity and network access control infrastructure.

Sources

• https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html

• https://cyberscoop.com/amazon-threat-intel-apt-group-cisco-citrix-zero-days/