‘Advanced’ hacker seen exploiting Cisco, Citrix zero-days

Steven

‘Advanced’ hacker seen exploiting Cisco, Citrix zero-days

Summary

Amazon discovered a sophisticated campaign in May in which an “advanced” threat actor exploited previously undisclosed zero-day vulnerabilities in Citrix and Cisco products. The attackers used CVE-2025-5777 (“Citrix Bleed Two”) and an undocumented Cisco ISE flaw later tracked as CVE-2025-20337, achieving administrator-level access and deploying custom backdoors tuned for Cisco ISE environments. Exploitation occurred before public disclosure and full patch availability, and the malware showed strong evasion techniques that left few forensic artefacts.

Key Points

  • Amazon identified exploitation of Citrix CVE-2025-5777 (“Citrix Bleed Two”) and a previously unknown Cisco ISE vulnerability later labelled CVE-2025-20337.
  • Activity was observed in May, before public disclosure and wide patching, indicating patch-gap exploitation.
  • Attackers used custom backdoors with advanced evasion and left minimal forensic artefacts.
  • The campaign targeted critical identity and network access control infrastructure (Cisco ISE, Citrix NetScaler ADC/Gateway).
  • One IP tied to exploitation has links to RansomHub; Citrix Bleed Two has been linked to attacks on public bodies previously.
  • Amazon shared findings with Cisco, suggesting the actor is highly resourced or has access to non-public vulnerability information.

Context and Relevance

This matters because attackers are increasingly going after identity and access-control layers that govern who can do what on enterprise networks. Organisations running Cisco ISE or Citrix NetScaler appliances should treat those platforms as high-value targets: prioritise patching, inventory checks, logging and incident response planning. The incident also underlines the danger of “patch-gap” exploitation—when flaws are weaponised before full vendor mitigations are available.

Why should I read this?

Short version: this is proper bad news if you run Cisco ISE or Citrix NetScaler. Attackers weaponised zero-days before vendors had full fixes, used stealthy backdoors and hit infrastructure that controls who gets access across your network. If you manage network access or security, stop what you’re doing and check your inventory, patches and logs — now.

Source

Source: https://therecord.media/advanced-hacker-exploiting-cisco-citrix-zero-days-amazon