Exploitation of Zero-Day Flaws in Cisco ISE and Citrix NetScaler

A threat actor Group is actively exploiting two zero-day vulnerabilities in widely deployed enterprise security tools : Cisco Identity Services Engine (CVE-2025-20337) and Citrix NetScaler ADC & Gateway (CVE-2025-5777). According to Amazon’s threat intelligence team, the attackers leveraged these flaws to implant a custom in-memory web shell, granting them stealthy persistence and elevated privileges within targeted networks.

Affected Products

• Cisco ISE and ISE Passive Identity Connector — allows unauthenticated remote code execution (RCE) as root.
• Citrix NetScaler ADC & Gateway — contains an insufficient input validation flaw enabling authentication bypass.

Who Is At Risk

• Enterprises using Cisco ISE for identity and access management (IAM) and Citrix NetScaler for application delivery and network edge access.
• Organizations with network-edge devices exposed to the Internet or accessible via management portals.
• Teams managing privileged infrastructure (admins, network  operators, identity teams) where these appliances are used.

Attack Vector & Capabilities

• The attackers exploited two zero-day vulnerabilities before they were publicly disclosed or patched, giving them early and     stealthy access.
• After breaching the systems, they deployed a custom in-memory web shell called IdentityAuditAction, designed to operate without leaving files on disk.
• The web shell used Java reflection and Tomcat  monitoring to intercept and analyse incoming web traffic.
• It employed DES encryption, custom Base64 encoding, and hidden HTTP header triggers to communicate covertly and avoid     detection.
• The operation specifically targeted identity management and  network-edge systems, aiming for long-term persistence and deep enterprise infiltration.

Why This Matters

• These vulnerabilities allow attackers to strike before login or authentication, meaning even systems thought to be secure can be exposed.
• Cisco ISE and Citrix NetScaler sit at the core of enterprise networks, managing who gets access and how data flows. A successful attack    on them can undermine the entire security framework of an organization.
• The combination of zero-day exploits and custom-built tools shows that a highly skilled, well-funded group is behind this campaign , raising the risk of targeted breaches and supply chain–style compromises.

Recommendation

Apply Security Patches Now

• Cisco: Update Identity Services Engine (ISE/I-PIC) to fix CVE-2025-20337.
• Citrix: Update NetScaler ADC & Gateway to fix CVE-2025-5777.

Restrict Management Access

• Disable or limit Internet-facing access to ISE, NetScaler, and related devices.
• Use firewalls or VPNs so only trusted internal networks can reach management ports.

Improve Monitoring and Detection

• Check logs for unusual HTTP requests or unknown connections to your appliances.
• Monitor for unexpected processes or in-memory activity on these systems.
• Use endpoint or network monitoring tools to detect suspicious movement.

Verify System Integrity

• Look for unauthorized changes in configurations, admin accounts, or linked systems (like Active Directory or GitHub).
• Keep regular backups and perform configuration audits.

Boost Incident Readiness

• Treat this as a critical security incident — engage your response teams and educate IT and network staff on the risks and ensure     alerts from these systems are reviewed immediately.