An advanced persistent threat actor has been targeting zero-day vulnerabilities in Cisco Identity Service Engine as well as Citrix, according to a blog post published Wednesday by security researchers at Amazon.
Amazon said it had previously detected threat activity targeting the CitrixBleed 2 vulnerability, tracked as CVE-2025-5777, through its MadPot honeypot service. The detection indicated the exploitation activity was taking place prior to public disclosure. Citrix released guidance in June to address CitrixBleed 2.
Additional investigation found an “anomalous payload” targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic, CJ Moses, CISO of Amazon Integrated Security, said in the blog.
The vulnerability, tracked as CVE-2025-20337, lets an attacker achieve pre-authentication remote code execution on Cisco ISE. This allows administrator-level access to compromised systems.
The hacker deployed a custom web shell that was disguised to appear as a legitimate Cisco ISE component named IdentityAuditAction. The malware was not off the shelf, according to Amazon researchers, but was instead a backdoor specifically designed to target Cisco ISE environments.
Cisco previously released software updates to address the problem.