In November 2025, Amazon’s threat intelligence team revealed that attackers had been exploiting two serious vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC months before anyone knew they existed. These flaws, later tracked as CVE-2025-20337 in Cisco ISE and CVE-2025-5777 in Citrix NetScaler, were being abused as zero days to gain root level access and bypass authentication entirely. Amazon’s MadPot honeypot network detected the activity, showing that attackers were already inside critical identity systems before vendors had even assigned CVE numbers or released patches (The Hacker News, 2025; Techzine, 2025).
How the Attack Worked
The attackers were not using off the shelf malware. Instead, they deployed a custom web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction. This backdoor operated entirely in memory, injected itself into running threads using Java reflection, and registered as an HTTP listener to intercept all traffic. To stay hidden, it used DES encryption with nonstandard Base64 encoding and required specific HTTP headers for access. These techniques left minimal forensic traces and made detection extremely difficult (CSO Online, 2025; The Register, 2025).
The Citrix vulnerability, dubbed CitrixBleed 2, allowed attackers to bypass authentication and hijack sessions. Combined with the Cisco flaw, attackers had a powerful toolkit to compromise identity infrastructure at the network edge. Amazon described the threat actor as highly resourced, with either advanced vulnerability research capabilities or access to non-public exploit information (Dark Reading, 2025; AWS Security Blog, 2025).
Why This Matters
Identity systems like Cisco ISE and Citrix NetScaler are the gatekeepers of enterprise networks. They enforce authentication, manage access policies, and sit at the center of trust. When attackers compromise these systems, they gain control over who gets in and what they can do. The fact that these exploits were pre-authentication means even well-configured systems were vulnerable. This highlights the danger of relying solely on patching. If attackers are exploiting flaws before disclosure, patching after the fact is too late (CyberScoop, 2025).
The Insider Threat Angle
Now imagine this scenario with an insider. An employee with legitimate access could exploit these zero days to escalate privileges, deploy hidden backdoors, and manipulate logs to suppress alerts. Because insiders are trusted, their actions might blend into routine updates or policy changes. They could provision fake accounts, alter MFA policies, or inject malicious code into workflows. This combination of insider access and zero day exploitation would give them long term persistence and control, invisible to traditional defenses.
Lessons for Defenders
- Patching is necessary but insufficient. Attackers are exploiting flaws before disclosure, so patching alone cannot stop them.
- Continuous monitoring is critical. Organizations must watch for unexpected changes in system behavior, new listeners, or unusual memory activity.
- Defense in depth matters. Limit access to management portals, segment critical systems, and layer detection tools.
- Behavioral analytics can catch insiders. Track not just what changes occur, but who makes them and whether their behavior deviates from normal patterns.
Final Thoughts
Amazon’s findings are a wake up call. Attackers are targeting the very systems enterprises rely on to enforce trust. They are exploiting vulnerabilities before anyone knows they exist and building custom backdoors to stay hidden. The real lesson is that visibility and anomaly detection are as important as patch speed. If no one is watching, attackers can rewrite the rules of your environment unnoticed.
Leave a Reply