Zero-Day Attacks Exploit Citrix and Cisco Vulnerabilities

Unpatched vulnerabilities, known as zero-days, remain among the most dangerous threats to businesses. In recent months, researchers from Amazon Threat Intelligence discovered that an advanced group of attackers exploited critical flaws in Citrix and Cisco before either company released security patches.

The attacks leveraged two major vulnerabilities:

1. Citrix Bleed 2 (CVE-2025-5777), affecting NetScaler ADC and Gateway

1. CVE-2025-20337, a flaw in Cisco Identity Services Engine (ISE)

Both were used as zero-days — exploited before any public disclosure or fixes existed. This finding confirms that even the most protected enterprise environments are vulnerable without continuous monitoring and a comprehensive cybersecurity strategy.

How It All Began: Amazon's Discovery

Amazon’s threat intelligence team analyzed data from its MadPot honeypot network, designed to detect malicious activity. According to their report, attempts to exploit Citrix Bleed 2 began before the vulnerability was disclosed, indicating attackers had prior knowledge and were already using it secretly.

During the investigation, Amazon also noticed anomalous payload behavior affecting Cisco ISE. This led to the discovery of a second zero-day, CVE-2025-20337, which relied on unsafe deserialization to execute malicious code inside the system.

How the Vulnerabilities Work

Citrix Bleed 2 (CVE-2025-5777)

This bug enables out-of-bounds memory reads, potentially exposing sensitive information or internal credentials. It affects NetScaler ADC and Gateway, widely used for application delivery and secure remote access in large enterprises.

Citrix released patches in June 2025, but public exploits were already circulating, and the U.S. CISA confirmed active exploitation.

Cisco ISE (CVE-2025-20337)

Even more severe, this flaw allows unauthenticated attackers to upload malicious files, execute arbitrary commands, and gain root-level privileges on affected devices.

Cisco published a security advisory on July 17, 2025, confirming ongoing exploitation. Just five days later, security researcher Bobby Gould published technical details on chaining the vulnerabilities for full system access.

You might also be interested in: Apple Fixes a Serious Vulnerability Exploited in Zero-Day Attacks.

How the Attacks Were Carried Out

Amazon’s analysis revealed that attackers combined both vulnerabilities to breach enterprise networks. After exploiting Citrix Bleed 2, they pivoted to Cisco ISE, deploying a custom web shell named IdentityAuditAction.

Disguised as a legitimate ISE component, the malicious file functioned as a persistent backdoor. Key features included:

1. HTTP listener registration, intercepting web traffic

1. Java Reflection code injection into Tomcat threads

1. DES encryption with custom Base64 encoding to evade detection

1. Authentication via HTTP headers, making it inaccessible without specific keys

1. Minimal forensic traces, complicating detection even in deep audits

These tactics demonstrate advanced technical knowledge of Java, Tomcat, and Cisco ISE — suggesting involvement from a well-funded Advanced Persistent Threat (APT) group.

An Unusual Yet Advanced Actor

Amazon could not attribute the attacks to any known threat actor, though the level of sophistication points to nation-state or state-sponsored resources. Oddly, the campaign did not seem targeted, which is rare for APTs who usually operate with surgical precision.

This may indicate attackers were testing the exploits or gathering reconnaissance before launching a broader campaign.

Read more: Top Zero-Day Vulnerabilities Exploited in 2025

What We Learned

This case offers several critical lessons:

1. Speed matters — zero-days may be exploited before public disclosure. Critical patching must be prioritized.

1. Patching is not enough — security must be layered with segmentation, firewalls, and anomaly detection.

1. Proactive monitoring works — tools like honeypots and threat intelligence platforms help detect early activity.

1. Modern malware leaves few traces — encryption and anti-forensic techniques demand deep, automated analysis.

Recommended Protection Measures

At TecnetOne, we recommend a defense-in-depth strategy to counter zero-day threats. Key actions include:

1. Patch Citrix and Cisco ISE immediately
   Apply official updates for CVE-2025-5777 and CVE-2025-20337.

1. Restrict perimeter access
   Configure firewalls to limit who can reach Citrix and Cisco devices. Avoid exposing admin panels to the internet.

1. Implement network segmentation
   Separate production from admin environments to hinder lateral movement after compromise.

1. Strengthen authentication
   Enforce Multi-Factor Authentication (MFA) and audit privileged user permissions.

1. Monitor for suspicious HTTP traffic
   Web shells like IdentityAuditAction manipulate headers and requests. Log analysis can expose them.

1. Run regular audits
   Review security configs, firmware versions, and third-party plugins. Early detection prevents escalation.

1. Develop an incident response plan
   Having clear protocols reduces response time and minimizes damage when new vulnerabilities surface.

A Landscape That Demands Proactive Security

This case proves even top vendors like Citrix and Cisco can be exploited before knowing their own flaws. Attackers now preemptively analyze enterprise software for unseen weak points.

In this environment, preventive cybersecurity is no longer optional — it's essential. Companies must anticipate attacks, reinforce internal controls, and monitor digital behavior 24/7.

At TecnetOne, we believe security should not be reactive but a continuous practice. Zero-day attacks are inevitable — but their impact can be drastically reduced with a strong strategy, full visibility, and a culture of cyber awareness.