Amazon discovers a stealth campaign exploiting unpatched Cisco and Citrix vulnerabilities before public disclosure.
Key Takeaways:
Amazon has discovered a highly sophisticated threat actor exploiting two zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC products. These vulnerabilities were actively targeted in real-world environments, exposing organizations to serious security risks.
According to Amazon’s threat intelligence team, this campaign used a critical zero-day vulnerability dubbed CitrixBleed 2 (CVE‑2025‑5777) through its MadPot honeypots before Citrix released a patch on June 17. CitrixBleed 2 allows attackers to extract sensitive session tokens from memory, which enables unauthorized access without user credentials. This security flaw was exploited by an unnamed advanced persistent threat (APT).
Amazon highlighted that its MadPot honeypot system captures hundreds of millions of daily connection attempts across thousands of sensors worldwide. The intelligence gathered is integrated with AWS security services like GuardDuty, Shield, WAF, and Inspector, and even used to take down malicious infrastructure in real time.
Subsequently, Amazon discovered a new vulnerability (CVE-2025-20337) in the unauthenticated deserialization logic of Cisco Identity Services Engine (ISE). This flaw enabled remote code execution without requiring authentication that grants attackers administrator-level privileges. The same attackers were actively exploiting the Cisco ISE vulnerability before Cisco had even assigned a CVE or released patches in July.
“What made this discovery particularly concerning was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE. This patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities,” the Amazon threat Intelligence team explained.
After compromising Cisco ISE, the attacker deployed a custom web shell disguised as a legitimate component. This web shell operated entirely in memory to avoid leaving disk traces, leveraged Java reflection to inject itself into active Tomcat threads, and registered as an HTTP listener to intercept incoming requests. To evade detection, it used DES encryption combined with a non-standard Base64 encoding scheme, and it could only be activated through specific HTTP headers known exclusively to the attacker.
The Amazon threat intelligence team also mentioned that this incident demonstrated a classic “patch-gap” scenario, where hackers exploited the Cisco ISE zero-day vulnerability before Cisco issued patches. This indicates that threat actors actively monitor vendor disclosures and weaponize newly discovered flaws during the time period between vulnerability discovery and public remediation, which makes unpatched systems especially vulnerable to sophisticated attacks.
Amazon advised organizations to strengthen their security posture through a defense-in-depth approach. The company emphasized that critical systems like identity management platforms, network gateways, and security appliances should never be exposed without layered protections. This means implementing strict network segmentation, placing these devices behind multiple firewalls, and limiting direct internet access wherever possible.
Lastly, Amazon recommended continuous monitoring for anomalies, such as unusual HTTP traffic patterns or unexpected internal communications. Moreover, IT admins should prioritize rapid patching and vulnerability management within their organizations. Amazon also emphasized the importance of proactive threat intelligence and honeypot deployments to detect emerging zero-day attacks early and reduce exposure to advanced persistent threats.