‘CitrixBleed 2’ Wreaks Havoc as Zero-Day Bug

Steven

‘CitrixBleed 2’ Wreaks Havoc as Zero-Day Bug

Summary

An advanced persistent threat (APT) exploited two high-impact zero-day vulnerabilities in identity and access management infrastructure: Citrix NetScaler/ADC & Gateway (CVE-2025-5777, dubbed “CitrixBleed 2”) and Cisco Identity Services Engine (CVE-2025-20337). Amazon’s threat intelligence observed pre-patch exploitation of both flaws via honeypots; Citrix patched in mid-June and Cisco in July, but systems patched after the initial weaponisation window may already have been compromised.

The Cisco flaw enabled pre-auth remote code execution as root and was abused to deploy a bespoke in-memory web shell masquerading as an IdentityAuditAction component, giving attackers stealthy persistence and broad access. The combined targeting of Citrix and Cisco IAM appliances illustrates a deliberate adversary focus on systems that control authentication, VPNs and access policies.

Key Points

  1. An APT exploited Citrix CVE-2025-5777 (CitrixBleed 2) and Cisco ISE CVE-2025-20337 as zero-days prior to widespread patching.
  2. Amazon detected exploitation in the wild via honeypots before vendors released fixes, indicating pre-patch weaponisation.
  3. The Cisco ISE bug allowed pre-auth RCE as root; attackers deployed a custom, memory-resident web shell to maintain stealthy persistence.
  4. Targeting identity and access infrastructure can grant attackers account creation, lateral movement and long-lived control via over-privileged identities.
  5. ReliaQuest data cited: identity issues were the top cloud risk source in Q3 2025 — 44% of positive alerts; 52% involved privilege escalation; 99% of cloud identities were over-privileged.
  6. “Patch-gap” exploitation is a growing tactic — attackers weaponise vulnerabilities between discovery and full patch rollout, shifting the advantage to defenders who control exposure and detection.
  7. Recommended defences: reduce blast radius, remove over-privileged accounts, isolate management planes, enable high-fidelity logging and anomaly detection, restrict external access and prepare compensating controls for rapid activation.

Context and Relevance

This story matters because IAM appliances are high-value targets: compromise them and attackers can effectively own authentication, remote access gateways and policy enforcement. The dual zero-day campaign shows sophisticated reconnaissance of both Citrix and Cisco codebases and demonstrates the real-world impact of “patch-gap” attacks.

For security teams, the incident underscores the need to shift from purely patch-centric thinking to an exposure-centric approach: treat publicly reachable edge and identity appliances as already vulnerable, implement rapid containment playbooks, and prioritise least-privilege and anomaly detection across identities and management planes.

Why should I read this?

Short answer: because if you run Citrix NetScaler/ADC, Citrix Gateway or Cisco ISE (or manage IAM generally), this is urgent. The attackers hit these bugs before full patch rollouts — so patched systems could still be tainted. Read this to know what to check first (look for odd admin sessions, in-memory web shells, new accounts and anomalous authentications) and what to do fast (isolate, revoke tokens, rotate keys and hunt).

Author style

Punchy: this is a high-priority, high-skill adversary operation. If your estate uses Citrix or Cisco ISE, treat the piece as a priority read — the article flags concrete risks and immediate actions rather than abstract warnings.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-cisco-zero-day-bugs