‘Advanced’ hacker seen exploiting Cisco, Citrix zero-days

Amazon said it uncovered a sophisticated campaign targeting previously unknown vulnerabilities in products from Cisco and Citrix.

CJ Moses, CISO of Amazon Integrated Security, said they identified an “advanced” threat actor exploiting previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. 

An Amazon spokesperson said the campaign, which was not attributed to any specific nation-state or cybercriminal group, was discovered in May. They declined to answer further questions about the nature of the targeting and the goal of the campaign. 

The hackers notably used custom malware and were exploiting CVE-2025-5777 — now known colloquially as “Citrix Bleed Two” — before it was disclosed publicly in July. 

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE,” Moses explained.

Cisco Identity Services Engine (ISE) is a network access control and security policy enforcement platform that allows companies to determine who can access what parts of a system based on their identity. 

The Cisco vulnerability, designated as CVE-2025-20337 in June, provided hackers with administrator-level access to compromised systems.

“What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE,” Moses added. “This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.”

He noted that their findings illustrate a trend of threat actors focusing on critical identity and network access control infrastructure — the systems enterprises rely on to enforce security policies and manage authentication across their networks.

For the attacks involving Cisco, Moses said the hackers used custom-built backdoors specifically made for Cisco ISE environments. 

The backdoor has sophisticated evasion capabilities and left minimal forensic artifacts. The threat actors were exploiting both CVE-2025-20337 and CVE-2025-5777 as zero-days but were using them indiscriminately when Amazon discovered the campaign.

“The access to multiple unpublished zero-day exploits indicates a highly resourced threat actor with advanced vulnerability research capabilities or potential access to non-public vulnerability information,” Moses said.

Citrix Bleed Two caused alarm over the summer, so much so that federal agencies were given a one-day deadline to patch it. The bug affects Citrix customers who manage their own NetScaler ADC and NetScaler Gateway appliances.

Experts noted that one of the IP addresses tied to exploitation of the bug was linked to the RansomHub ransomware group by CISA last year. The bug was allegedly used to target the Office of the Attorney General of Pennsylvania as well as the Netherlands’ Public Prosecution Service — the country’s equivalent of the U.S. Justice Department.