An advanced threat actor exploited critical zero-day vulnerabilities in NetScaler ADC, Gateway, and Cisco ISE to deploy custom malware, prior to public disclosure and patch availability. Amazon’s threat intelligence tracked these exploits through honeypot data, revealing sophisticated hacking techniques and indiscriminate targeting. #CitrixBleed2 #CISCOISEExploit
Keypoints
- The threat actor exploited Citrix Bleed 2 (CVE-2025-5777) and a Cisco ISE vulnerability (CVE-2025-20337) as zero-days.
- Amazon’s honeypot data detected early exploitation attempts before public disclosures and patches.
- The attacker used customized malware, including a web shell named ‘IdentityAuditAction,’ with stealth features.
- The vulnerabilities allowed remote code execution, root access, and data exfiltration through sophisticated attack chains.
- Urgent implementation of security updates and network access controls is recommended to mitigate risks.