Amazon Discovers Zero-Day Exploits Targeting Cisco and Citrix Appliances
Executive Summary
In October 2025, Amazon's threat intelligence division uncovered an advanced cyberattack that targeted undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC appliances. The attackers leveraged these flaws to gain privileged access within victim environments, deploying tailor-made malware to compromise critical identity and network infrastructure. By exploiting trusted network appliances, the threat actor bypassed conventional perimeter security, enabled persistent lateral movement, and threatened both operational continuity and data confidentiality for affected organizations.
This incident underscores a growing shift in attacker tactics, with a strategic focus on exploiting zero-days in widely deployed network infrastructure. It highlights rising concerns about supply chain risks, the increasing sophistication of threat actors, and an urgent need for proactive detection and patch management across enterprise environments.
Why This Matters Now
With the rise of zero-day attacks on core identity and access platforms, organizations face an urgent imperative to assess their exposure and enhance protection around network critical-path devices. As patch cycles and detection lag behind attacker innovations, robust segmentation, east-west traffic controls, and modern zero trust strategies are now critical to cyber resilience.
Attack Path Analysis
The adversary initially compromised targets by exploiting zero-day vulnerabilities in Cisco ISE and Citrix NetScaler ADC, gaining unauthorized access to critical infrastructure. Leveraging this foothold, attackers escalated privileges to access sensitive systems and controls. They moved laterally across internal cloud and network segments to extend reach and identify high-value targets. Establishing command and control channels, they maintained persistence and enabled remote management of deployed malware. Sensitive data was then exfiltrated via outbound channels, leveraging evasion tactics. Finally, custom malware execution resulted in operational impact, likely including data loss or business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited zero-day vulnerabilities in Cisco ISE and Citrix NetScaler ADC to gain unauthorized entry into the cloud network's access control infrastructure.
Related CVEs
CVE-2025-7775
CVSS 9.2A memory overflow vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated remote code execution or denial of service.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241-FIPS/NDcPP, 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP
Citrix NetScaler Gateway – 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241-FIPS/NDcPP, 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP
Exploit Status:
exploited in the wildCVE-2025-6543
CVSS 9.2A memory overflow vulnerability in Citrix NetScaler ADC and Gateway can lead to unintended control flow and denial of service.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, 13.1-FIPS/NDcPP before 13.1-37.236-FIPS/NDcPP
Citrix NetScaler Gateway – 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, 13.1-FIPS/NDcPP before 13.1-37.236-FIPS/NDcPP
Exploit Status:
exploited in the wildCVE-2025-5777
CVSS 9.3A memory overread vulnerability in Citrix NetScaler ADC and Gateway allows unauthorized access to sensitive information.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-47.46, 13.1 before 13.1-59.19
Citrix NetScaler Gateway – 14.1 before 14.1-47.46, 13.1 before 13.1-59.19
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Abuse Elevation Control Mechanism
Valid Accounts
Ingress Tool Transfer
System Services
Impair Defenses
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerabilities Identified and Addressed
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Requirements
Control ID: Art. 9
CISA ZTMM 2.0 – Regular Assessment of Exposed Assets
Control ID: Asset Management: AM-2
NIS2 Directive – Cybersecurity Risk-Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical identity infrastructure vulnerabilities in Cisco ISE and Citrix NetScaler expose banking systems to zero-day exploits targeting network access controls and encrypted traffic.
Health Care / Life Sciences
Zero-day attacks on identity service engines threaten HIPAA compliance for patient data protection, requiring enhanced east-west traffic security and anomaly detection capabilities.
Government Administration
Advanced threat actors exploiting network access control infrastructure pose severe risks to government systems requiring zero trust segmentation and threat detection responses.
Information Technology/IT
Custom malware delivery through compromised Cisco and Citrix infrastructure directly impacts IT providers managing multicloud visibility, egress security, and client network segmentation.
Sources
- Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flawshttps://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.htmlVerified
- Critical Security Update for NetScaler ADC and Gatewayhttps://www.citrix.com/blogs/2025/08/26/critical-security-update-for-netscaler-adc-and-gateway/Verified
- CISA Adds CVE-2025-7775 to Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- Over 28,000 Citrix Instances Vulnerable to Actively Exploited RCE Bughttps://www.bleepingcomputer.com/news/security/over-28-200-citrix-instances-vulnerable-to-actively-exploited-rce-bug/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, inline threat detection, and robust egress policy enforcement would have significantly limited adversary movement, detected malicious activity, and blocked data exfiltration throughout the kill chain. CNSF-aligned controls prevent exploitation spread and maintain cloud workload integrity even amid zero-day attacks on essential network infrastructure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline distributed enforcement would have limited blast radius from initial exploitation.
Control: Zero Trust Segmentation
Mitigation: Segmentation policies restrict privilege escalation by enforcing least-privilege access across workloads.
Control: East-West Traffic Security
Mitigation: Microsegmentation disrupts unauthorized lateral movements within cloud and hybrid infrastructure.
Control: Inline IPS (Suricata)
Mitigation: Inline threat detection blocks known C2 behaviors and raises real-time alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Strict egress controls prevent unauthorized data transfers and block risky destinations.
Rapid detection and incident response minimize potential impact on critical assets.
Impact at a Glance
Affected Business Functions
- Network Access Control
- Remote Access Services
- Identity Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive authentication credentials and unauthorized access to internal network resources.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to isolate critical infrastructure components and reduce attack surface.
- • Enforce strict east-west traffic inspection and microsegmentation to disrupt lateral movement post-compromise.
- • Enable inline IPS and real-time threat detection to identify and block C2 communications and malware activity.
- • Apply robust egress policy enforcement to prevent data exfiltration and restrict outbound communication to sanctioned services.
- • Continuously monitor for anomalies using cloud-native visibility tools and respond swiftly to detected threats to protect business operations.
