Executive Summary
In summer 2024, Amazon’s threat intelligence team identified that an advanced persistent threat (APT) group exploited zero-day vulnerabilities in Cisco Identity Services Engine (CVE-2025-20337) and Citrix NetScaler (CVE-2025-5777), months before official patches were released. The attackers leveraged custom malware with advanced evasion capabilities, demonstrating a deep understanding of enterprise Java and network edge products. Exploitation was detected as early as May, prior to vendor disclosure, allowing the threat actor prolonged access to target environments for likely espionage purposes. Massive exploitation attempts followed public disclosure, impacting thousands of organizations globally.
This incident underscores the increased speed and sophistication with which threat groups are identifying and weaponizing zero-day vulnerabilities in critical network and identity infrastructure. The trend poses escalating risks for organizations relying on edge devices, making timely patching and layered defenses more crucial than ever.
Why This Matters Now
This breach highlights the urgent risk posed by APT groups targeting network and identity edge devices using zero-day exploits. As such exploitation occurs before patches are available, organizations must accelerate detection and response capabilities, strengthen segmentation, and invest in proactive threat intelligence to mitigate potentially severe business impact.
Attack Path Analysis
The threat actor leveraged zero-day vulnerabilities in Cisco ISE and Citrix NetScaler appliances to gain an initial foothold into targeted organizations. Once inside, they likely exploited misconfigurations or existing privileges to escalate access within the compromised systems. Using advanced custom malware and knowledge of enterprise environments, the attackers proceeded to move laterally, targeting workloads and network segments beyond the entry point. Establishing persistent command and control, they used covert channels and evasion techniques to maintain access and transmit commands. It is probable the attackers attempted to gather and exfiltrate sensitive data using controlled outbound channels. Ultimately, their impact focused on long-term espionage and retention of access rather than destructive actions.
Kill Chain Progression
Initial Compromise
Description
Exploited Cisco ISE and Citrix NetScaler zero-day vulnerabilities (CVE-2025-20337 and CVE-2025-5777) to obtain remote access to target environments prior to public disclosure.
Related CVEs
CVE-2025-5777
CVSS 9.3An out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated attackers to read sensitive memory contents, potentially leading to session hijacking.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS before 13.1-37.235, 12.1-FIPS before 12.1-55.328
Citrix NetScaler Gateway – 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS before 13.1-37.235, 12.1-FIPS before 12.1-55.328
Exploit Status:
exploited in the wildCVE-2025-20337
CVSS 10A vulnerability in a specific API of Cisco ISE and ISE-PIC allows unauthenticated, remote attackers to execute arbitrary code on the underlying operating system as root.
Affected Products:
Cisco Identity Services Engine (ISE) – 3.3, 3.4
Cisco ISE Passive Identity Connector (ISE-PIC) – 3.3, 3.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Obtain Vulnerability Information
Command and Scripting Interpreter: Unix Shell
Obfuscated Files or Information
Abuse Elevation Control Mechanism
Valid Accounts
Remote Services: Remote Desktop Protocol
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Vulnerabilities and Security Patches
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
CISA ZTMM 2.0 – Ongoing Vulnerability Identification & Remediation
Control ID: Identity Pillar: Vulnerability Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
APT groups exploiting Cisco ISE and Citrix zero-days directly target network security infrastructure, requiring enhanced threat detection and egress security capabilities.
Financial Services
Zero-day exploitation of identity services and network edge infrastructure poses critical risks to financial institutions requiring strict compliance and data protection.
Health Care / Life Sciences
Advanced persistent threats targeting identity management systems threaten HIPAA compliance and patient data security through lateral movement and encrypted traffic vulnerabilities.
Government Administration
State-sponsored APT groups exploiting enterprise Java applications and network infrastructure create significant espionage risks for government agencies and critical infrastructure.
Sources
- Amazon pins Cisco, Citrix zero-day attacks to APT grouphttps://cyberscoop.com/amazon-threat-intel-apt-group-cisco-citrix-zero-days/Verified
- Amazon discovers APT exploiting Cisco and Citrix zero-dayshttps://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/Verified
- Citrix NetScaler ADC and Gateway Security Bulletin for CVE-2025-5777https://support.citrix.com/article/CTX693420Verified
- Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilitieshttps://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-rce-2025-20337.htmlVerified
- Hackers turn Cisco and Citrix zero-days into a malware nightmarehttps://www.techradar.com/pro/security/hackers-turn-cisco-and-citrix-zero-days-into-a-malware-nightmareVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, inline threat detection, and egress policy enforcement would have constrained the attacker's progression, detected anomalous activity, and prevented unauthorized data egress throughout the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Detection and prevention of exploitation attempts targeting vulnerable services exposed to the internet.
Control: Zero Trust Segmentation
Mitigation: Restricts lateral access, limiting privilege escalation paths from edge to internal systems.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal pivoting by inspecting and segmenting workload-to-workload communications.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known C2 patterns or suspicious communication behaviors at network boundaries.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized or suspicious data transfers to external destinations.
Accelerates detection of anomalous persistence and suspicious long-term behaviors.
Impact at a Glance
Affected Business Functions
- Network Security
- Identity Management
- Remote Access
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive authentication tokens and administrative credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Cloud Firewall (ACF) to enforce strict perimeter controls and detect exploitation attempts of exposed services.
- • Implement Zero Trust Segmentation to minimize lateral movement and restrict privilege escalation inside the cloud network.
- • Apply East-West Traffic Security for granular visibility and prevention of unauthorized workload-to-workload communications.
- • Enforce Egress Security policies to block unapproved external data transfers and monitor for exfiltration attempts.
- • Continuously operate Threat Detection & Anomaly Response to rapidly flag abnormal behaviors linked to persistence and espionage targets.
