An advanced hacking group is actively exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems. These attacks, spotted in real-world operations, allow hackers to deploy custom webshells and gain deep access to corporate networks.
The findings highlight how attackers are targeting key systems that manage user logins and network controls, putting businesses at high risk.
Cisco and Citrix 0-Days Exploited
The trouble started with Amazon’s MadPot honeypot service, a tool designed to lure and study cyber threats. It caught attempts to exploit a Citrix flaw known as “Citrix Bleed Two” (CVE-2025-5777) before anyone knew about it publicly.
This zero-day lets attackers run code remotely without permission. Digging deeper, Amazon’s experts linked the same hackers to a hidden weakness in Cisco ISE, now called CVE-2025-20337.
This bug uses faulty data handling, or “deserialization,” to let outsiders execute code before even logging in. The result? Full admin control over the affected systems.
What makes this scary is the timing. Hackers were hitting these flaws in the wild on live internet-facing setups before Cisco issued a CVE number or full patches for all versions of ISE.
This “patch-gap” tactic shows the attackers’ smarts: they closely monitor updates and strike fast when defenses are weak. Amazon shared the Cisco details with the company, helping to speed up fixes, but the damage was already underway.
Once inside, the hackers planted a sneaky custom webshell disguised as a normal Cisco part called “IdentityAuditAction.” Unlike basic malware, this one is built just for Cisco ISE.
It runs entirely in the computer’s memory, avoiding files that forensics teams could easily spot. Using tricks like Java reflection, it hooks into the system’s web server (Tomcat) to watch all traffic. To hide commands, it encrypts them with DES and a weird Base64 twist, plus it checks for special web headers to activate.
A peek at the code reveals their cunning. In one routine, it decodes hidden instructions from web requests, swaps characters like “*” for “a,” and uses a secret key (“d384922c”) to unlock the payload. This lets the hackers run arbitrary code without leaving traces, making detection tough.
Amazon’s analysis shows the group was widely blasting these exploits across the internet, not just targeting specific targets. Their tools show deep knowledge of Java apps, Tomcat, and Cisco’s setup, suggesting a well-funded team with insider vuln info or top research skills.
This fits a growing pattern: attackers targeting edge defenses such as identity managers and remote gateways that guard entire networks.
For security pros, this is a wake-up call. Even top-notch systems can fall to pre-login exploits. Amazon urges teams to layer defenses: use firewalls to block access to management portals, watch for unusual web traffic, and build detection for odd behaviors. Quick patching is key, but so is assuming breaches and planning responses.
This campaign reminds us that zero-days in critical tools like Cisco and Citrix can open the door to chaos. Companies must stay vigilant as hackers evolve.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
