Executive Summary

Amazon's threat intelligence team has uncovered a sophisticated campaign by an advanced threat actor exploiting two zero-day vulnerabilities in widely used enterprise network appliances: Cisco Identity Service Engine (ISE) and Citrix NetScaler Application Delivery Controller (ADC). The vulnerabilities, now tracked as CVE-2025-20337 and CVE-2025-5777, are being actively exploited in the wild. The attackers are using custom malware to target these devices, which serve as critical gatekeepers for network access and authentication. This campaign highlights a strategic focus on compromising core identity and access management (IAM) infrastructure to gain deep, persistent access into target networks. Patches are forthcoming from both vendors, and organizations using these products must prepare for immediate deployment.

---

Threat Overview

• Threat Actor: An unnamed "advanced" threat actor, likely a nation-state or highly sophisticated cybercrime group, given the discovery of two separate zero-days and the use of custom tooling.
• Targeted Systems:
  • Cisco Identity Service Engine (ISE): A network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches.
  • Citrix NetScaler ADC: A networking appliance used for load balancing, traffic management, and providing secure remote access.
• Attack Vector: The threat actor is exploiting the zero-day vulnerabilities CVE-2025-20337 and CVE-2025-5777 to gain initial access to the targeted appliances. The exact nature of the vulnerabilities (e.g., RCE, authentication bypass) has not yet been detailed publicly.
• Malware: The attackers are deploying custom malware that demonstrates a deep understanding of the internal architecture of the targeted systems, particularly their enterprise Java application components.

This campaign was first identified through Amazon's MadPot honeypot network, which observed indiscriminate scanning and exploitation attempts across the internet. This suggests the actor is casting a wide net to identify vulnerable systems before selecting high-value targets for deeper compromise.

---

Technical Analysis

While specific technical details of the exploits are being withheld pending vendor patches, the attack pattern aligns with previous campaigns targeting edge infrastructure. The general TTPs can be inferred:

1. Initial Access (T1190 - Exploit Public-Facing Application): The actor exploits CVE-2025-20337 on Cisco ISE or CVE-2025-5777 on Citrix NetScaler to gain a foothold on the appliance.
2. Execution: The actor deploys custom malware, likely a web shell or a custom backdoor, to establish control. This leverages their knowledge of the Java-based frameworks running on these devices.
3. Persistence (T1505.003 - Web Shell): The malware is designed to survive reboots and remain hidden on the compromised appliance, providing long-term access.
4. Credential Access & Discovery: Once on the ISE or NetScaler, the actor has a privileged position to intercept authentication traffic, harvest credentials (T1003 - OS Credential Dumping), and map the internal network (T1046 - Network Service Discovery).

Compromising an identity management solution like Cisco ISE is particularly devastating, as it could allow the attacker to create rogue user accounts, modify access policies, and bypass network segmentation controls.

---

Impact Assessment

The business impact of this campaign is potentially severe. Compromise of Cisco ISE or Citrix NetScaler can lead to a complete breakdown of an organization's network security posture. Attackers can:

• Bypass network access controls and move laterally to any part of the network.
• Intercept sensitive data and credentials passing through the appliance.
• Impersonate legitimate users and access critical applications and data.
• Disrupt business operations by modifying network configurations or causing denial-of-service conditions.
• Establish a persistent and difficult-to-detect foothold for long-term espionage or future attacks.

Given that these devices are often the primary enforcement point for security policies, their compromise effectively renders many other security controls useless.

---

Cyber Observables for Detection

Until official IOCs are released, security teams should hunt for anomalous activity on their Cisco ISE and Citrix NetScaler appliances:

Type	Value	Description
Log Source	Cisco ISE / Citrix NetScaler System Logs	Monitor for unexpected reboots, service restarts, or error messages, particularly related to Java application components.
Network Traffic Pattern	Unusual Outbound Connections	Look for connections from the management interface of ISE/NetScaler appliances to unknown or suspicious IP addresses. These devices should typically only communicate with internal systems and vendor update servers.
File Path	/tmp, /var/tmp	Monitor for the creation of new or suspicious files (e.g., scripts, binaries, web shells) in temporary directories on the appliances.
Process Name	java	Look for anomalous Java processes with unusual command-line arguments or those consuming excessive CPU/memory.
User Account Pattern	New Local/Admin Accounts	Monitor for the creation of any new administrative accounts on the appliances, especially those created outside of normal change control windows.

---

Detection & Response

1. Asset Inventory: Immediately identify all Cisco ISE and Citrix NetScaler appliances in your environment, including their versions and network locations.
2. Log Analysis: Centralize and review logs from these appliances. Look for signs of unauthorized access, configuration changes, or suspicious processes. D3FEND's Network Traffic Analysis is critical here.
3. Vulnerability Scanning: As soon as signatures are available, scan for CVE-2025-20337 and CVE-2025-5777.
4. Restrict Access: Limit access to the management interfaces of these devices to a small set of authorized administrative workstations via a jump box or bastion host.
5. Prepare for Patching: Be prepared to apply patches from Cisco and Citrix on an emergency basis as soon as they are released.

---

Mitigation

1. Emergency Patching (M1051 - Update Software): This is the primary mitigation. Apply vendor patches for CVE-2025-20337 and CVE-2025-5777 as soon as they become available.
2. Network Segmentation (M1030 - Network Segmentation): Do not expose the management interfaces of these appliances to the internet. Restrict access to a dedicated, isolated management network. This aligns with D3FEND's Network Isolation.
3. Web Application Firewall (WAF): Place a WAF in front of any user-facing portals on these appliances. While not a substitute for patching, a WAF may be able to block some exploitation attempts through virtual patching.
4. Integrity Monitoring: Use file integrity monitoring (FIM) on the appliances to detect the creation of unauthorized web shells or other malicious files.