Amazon's security team disclosed that an advanced threat actor exploited two zero-day vulnerabilities in widely used network and identity management products: Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC. The first vulnerability, CVE-2025-20337, is a critical unauthenticated remote code execution flaw in Cisco ISE and its Passive Identity Connector, allowing attackers to execute arbitrary code as root on the underlying OS. The second, CVE-2025-5777 (dubbed Citrix Bleed 2), is an authentication bypass vulnerability in Citrix NetScaler ADC and Gateway due to insufficient input validation. Both vulnerabilities were weaponized in attacks detected by Amazon’s MadPot honeypot network before patches were publicly available (Cisco fixed in July 2025, Citrix in June 2025). The attacker deployed a sophisticated custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. This web shell operates entirely in memory, uses Java reflection to inject into running threads, monitors all HTTP requests on the Tomcat server, and employs DES encryption with non-standard Base64 encoding to evade detection. The campaign is characterized by indiscriminate targeting and the use of bespoke tools, indicating a highly resourced adversary with advanced vulnerability research capabilities or access to non-public vulnerability information. The attacks underscore the threat actors’ focus on critical identity and network access control infrastructure, which enterprises depend on to enforce security policies and manage authentication. The pre-authentication nature of these exploits means even well-configured and maintained systems are vulnerable. The findings emphasize the need for defense-in-depth strategies, strict access restrictions to management portals, and robust detection mechanisms capable of identifying anomalous behaviors in network edge appliances.

For European organizations, the exploitation of these vulnerabilities poses severe risks to the confidentiality, integrity, and availability of critical network access and identity management systems. Cisco ISE and Citrix NetScaler are widely deployed in enterprise environments across Europe for enforcing security policies and managing authentication. Successful exploitation could allow attackers to gain root-level control over Cisco ISE appliances, enabling persistent backdoors, lateral movement, and data exfiltration. The custom web shell’s stealth capabilities make detection difficult, increasing dwell time and potential damage. Disruption or compromise of these systems could lead to widespread network access control failures, unauthorized access to sensitive resources, and potential cascading impacts on connected infrastructure. Given the critical role of these products in sectors such as finance, government, telecommunications, and critical infrastructure, the threat could result in significant operational disruption, regulatory non-compliance, and reputational damage. The indiscriminate nature of the campaign means many organizations could be targeted, increasing the overall risk landscape in Europe.

European organizations should immediately verify and apply the patches released by Cisco (July 2025) and Citrix (June 2025) for these vulnerabilities. Beyond patching, organizations must enforce strict network segmentation and limit access to Cisco ISE and Citrix NetScaler management interfaces using firewalls, VPNs, and zero-trust principles. Implement multi-factor authentication (MFA) for all administrative access to these systems. Deploy advanced endpoint and network detection tools capable of monitoring for anomalous behaviors such as unusual HTTP requests, in-memory code injection, and encrypted payloads consistent with the described web shell. Conduct regular threat hunting exercises focused on Java/Tomcat environments and review logs for signs of the IdentityAuditAction component or similar anomalies. Establish robust incident response plans specific to identity and network access control systems. Consider deploying honeypots or deception technologies to detect early exploitation attempts. Finally, maintain continuous threat intelligence sharing with industry groups and vendors to stay informed of emerging tactics related to these vulnerabilities.