APT Campaign Exploited Zero-Days in Cisco ISE and Citrix NetScaler

Published Date: November 13, 2025

Category: ShadowOpsIntel

Amazon’s Threat Intelligence team uncovered a sophisticated APT campaign exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler (ADC/Gateway). The campaign leveraged these flaws for unauthenticated remote code execution, targeting identity management and remote access infrastructure – a critical backbone of enterprise security architectures.

Severity: Critical

Targeted Systems And Vulnerabilities

Citrix Systems:
- Amazon’s MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to its public disclosure, confirming zero-day exploitation.
- CVSS Score: 9.3
- Affected versions:
  - NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
  - NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
  - NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
  - NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Cisco ISE:
- Through further investigation, Amazon identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE.
- This vulnerability, now designated as CVE-2025-20337, allowed the threat actors to achieve pre-authentication remote code execution (RCE) on Cisco ISE deployments.
- The exploit provided administrator-level access to the compromised systems.
- CVSS Score: 10.0
- Affects: Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration

Custom Tooling And Evasion

Custom Web Shell: Following successful exploitation, the threat actor deployed a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. This was a custom-built backdoor designed specifically for Cisco ISE environments.
Advanced evasion capabilities:
- Java reflection injection
- DES encryption with non-standard Base64
- Registered as a Tomcat HTTP listener
- Required custom HTTP headers for command execution

Recommendations

Customers running affected Citrix Netscaler systems should updated to the fixed versions:
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Citrix recommends running the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds:
- kill icaconnection -all
- kill pcoipConnection -all
CVE-2025-5777 Exploitation Detection:
- Syslog Analysis:
  - Exploit attempts may generate logs with log line containing:
    - Authentication is rejected for
    - AAA Message
    - non-ASCII characters (range 128-255)
  - If searching locally on a NetScaler MPX or VPX appliance within the /var/log directory, the following awk command can be used:
    zcat ns.log.*.gz | awk -v FS=’Authentication is rejected for ‘ ‘{if($1~/AAA Message/&&$2~/[\x80-\xff]/) print}’
- Session analysis:
  - Suspicious change in client IP address within a single session, which could indicate session hijacking (a plausible consequence of CVE-2025-5777 exploitation).
  - Look for logs with mismatched client IP and source IP.
Customers running affected Cisco ISE and ISE-PIC releases should update to Release 3.3 Patch 7 or Release 3.4 Patch 2.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.