Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape
Summary
Amazon’s CISO CJ Moses says an “advanced” attacker exploited two zero-day bugs — Citrix CVE-2025-5777 (CitrixBleed 2) and a previously undocumented Cisco ISE flaw now tracked as CVE-2025-20337 — to deploy tailored, in-memory malware. AWS’s MadPot honeypot observed attempts to exploit the Citrix NetScaler vulnerability before public disclosure. Subsequent investigation revealed a Cisco ISE deserialization bug being exploited in the wild before a CVE or complete patches were available. The intruder deployed a stealthy backdoor that used Java reflection, monitored Tomcat HTTP traffic, used DES with non-standard Base64 to evade detection, and required specific HTTP headers to activate — all signs of a skilled, well-resourced operator. Vendors have been slow to comment publicly.
Key Points
- Amazon detected attempts to exploit Citrix CVE-2025-5777 (CitrixBleed 2) before public disclosure via its MadPot honeypot.
- Attackers also exploited an undocumented Cisco ISE bug (CVE-2025-20337) allowing unauthenticated remote root code execution (CVSS 10).
- Exploitation occurred in the wild before full vendor advisories or patches were widely available — a patch-gap exploitation tactic.
- The deployed malware was custom, in-memory, used Java reflection to inject into threads, left minimal forensic traces, and acted as a Tomcat HTTP listener.
- Evasion techniques included DES encryption with non-standard Base64 and reliance on specific HTTP headers to trigger functionality.
- Combined access to two 0-days indicates a highly resourced attacker with advanced vulnerability-research capability or access to non-public vulnerability information.
- Citrix and Cisco had limited public comment at the time of reporting; Amazon shared findings with Cisco during investigation.
Context and relevance
This story matters because it shows how zero-days can be chained and weaponised quickly to deliver bespoke malware that avoids common detection methods. Organisations running Citrix NetScaler/NetScaler Gateway, Citrix AAA virtual servers or Cisco Identity Services Engine should treat this as high priority. The incident highlights an ongoing trend: sophisticated actors monitoring disclosure timelines and exploiting patch gaps to gain persistent, stealthy access to enterprise infrastructure. It also underlines the value of threat-hunting telemetry (like honeypots) and rapid information sharing between cloud providers and vendors.
Why should I read this?
Short version: if you run Citrix or Cisco ISE — stop scrolling and check your patching. This isn’t some noisy commodity malware job; it’s a tailored, quiet backdoor built for enterprise Java/Tomcat environments. Read it so you know what to prioritise (patch, hunt for strange Tomcat listeners, look for odd HTTP headers and in-memory implants).
Source
Article date: 2025-11-12T17:16:12+00:00
Image: 