An “advanced” attacker exploited CitrixBleed 2 and a max-severity Cisco Identity Services Engine (ISE) bug as zero-days to deploy custom malware, according to Amazon Chief Information Security Officer CJ Moses.
The cloud giant’s MadPot honeypot detected the unnamed miscreant(s) attempting to break into buggy Citrix NetScaler ADC and NetScaler Gateway devices via CVE-2025-5777 before the critical vulnerability was publicly disclosed, Moses said in a Wednesday security blog.
CVE-2025-5777 is an out-of-bounds read flaw in NetScaler Gateway and AAA virtual servers that can allow remote attackers to leak memory contents. Security researchers dubbed it CitrixBleed 2 due to similarities with the original CitrixBleed that allowed both nation-state spies and ransomware gangs to steal session secrets.
Citrix disclosed and issued a fix for CVE-2025-5777 on June 17, and soon after bug hunters started warning that things could get really, really bad if customers didn’t patch immediately.
By July, the US Cybersecurity and Infrastructure Security Agency and private researchers said the flaw was under exploitation and being abused to hijack user sessions – although Citrix still hasn’t commented on the attacks.
“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic,” Moses wrote.
This previously undocumented Cisco bug, now tracked as CVE-2025-20337, received a maximum-severity 10 CVSS rating as it allowed unauthenticated, remote attackers to run arbitrary code on the operating system with root-level privileges.
“What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE,” Moses wrote. “This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.”
Cisco first flagged the vulnerability on June 25, and on July 21 updated its advisory to note: “In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild.”
After exploiting the Cisco bug, the criminals deployed a custom backdoor with advanced evasion capabilities specifically designed for Cisco ISE environments. It operated in-memory, left “minimal” forensic artifacts, and injected itself into running threads using Java reflection, according to the cloud giant’s threat intel team.
The malware also registered as a listener to monitor all HTTP requests across the Tomcat server, used DES encryption with non-standard Base64 encoding to evade detection, and required knowledge of specific HTTP headers to access – all of which indicated that this wasn’t a script kiddy, but rather an attacker with deep familiarity of Cisco ISE and enterprise Java applications.
Additionally, the intruder’s access to both the Cisco flaw and CitrixBleed 2 as zero-days indicates “a highly resourced threat actor with advanced vulnerability research capabilities or potential access to non-public vulnerability information.”
Neither Cisco nor Citrix immediately responded to The Register‘s inquiries, including who exploited the zero-days and to what end. We will update this story when we receive responses. ®
