Threat actors utilized a maximum-severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware.
Amazon’s threat intelligence team identified an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments. This allowed pre-authentication remote code execution on compromised endpoints, providing administrator-level access. The bug, tracked as CVE-2025-20337, has a severity score of 10/10 (critical).
Researchers discovered this intrusion while investigating a Citrix Bleed Two vulnerability, also exploited as a zero-day. According to the NVD page, “A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root.” The advisory states, “The attacker does not require any valid credentials to exploit this vulnerability,” indicating exploits occur by submitting a crafted API request.
Attackers deployed a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction. Amazon explained this malware was not off-the-shelf but custom-built for Cisco ISE environments. The web shell operated entirely in-memory, used Java reflection to inject into running threads, and registered as a listener to monitor HTTP requests across the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding. Access required knowledge of specific HTTP headers. Amazon did not attribute the attacks to any particular threat actor, stating the attacks were not targeted but used indiscriminately against numerous organizations.
