Article illustration 1

When Your Access Control Becomes the Backdoor

Two of the most sensitive layers in modern enterprise infrastructure—application delivery at the edge and identity enforcement in the core—were silently weaponized as zero-days in a single coordinated campaign.

Amazon’s threat intelligence team has disclosed that an advanced threat actor exploited:

  • Citrix “Citrix Bleed 2” (CVE-2025-5777) in NetScaler ADC and Gateway
  • Cisco Identity Services Engine (ISE) (CVE-2025-20337)

as zero-days, well before public advisories and patches were available.

The incident, reconstructed from Amazon’s MadPot honeypot telemetry and subsequent investigations, is not just another patch-now headline. It’s a blueprint for where offensive R&D is going next: high-skill exploitation of identity and edge infrastructure with custom, low-noise tooling designed to outpace both vendors and defenders.

_Source: BleepingComputer reporting on Amazon’s technical findings; Cisco and Citrix security advisories; Amazon Threat Intelligence disclosures._

The Exploit Chain: From Edge Bleed to Identity Capture

Citrix Bleed 2: A familiar class of bug with escalated stakes

Citrix Bleed 2 (CVE-2025-5777) is an out-of-bounds memory read issue affecting NetScaler ADC and Gateway.

Key points:

  • Impact: Exposure of sensitive memory contents, including potentially session tokens, credentials, or configuration artifacts.
  • Timeline:
    • Fixes released in late June 2025.
    • Public exploit code emerged in early July.
    • CISA later confirmed exploitation in the wild.
  • New twist: Amazon’s MadPot data indicates exploitation attempts before public disclosure—i.e., it was a live zero-day in the hands of at least one capable actor.

This aligns with a pattern we’ve seen since the original Citrix Bleed era: network appliances with high-value data paths and historically weaker observability remain prime targets for pre-disclosure exploitation.

Cisco ISE CVE-2025-20337: From bug to root in one move

Cisco ISE is central to network access control in many enterprises—802.1X, posture assessment, segmentation policies, identity-backed network decisions. That makes CVE-2025-20337 especially dangerous.

Cisco’s advisory (July 17, 2025) flagged:

  • Pre-authentication exploitability
  • Ability for an attacker to:
    • Upload and store malicious files
    • Achieve arbitrary code execution
    • Gain root privileges on vulnerable ISE appliances

Within days:

  • Cisco confirmed active exploitation.
  • Security researcher Bobby Gould released a technical write-up and exploit chain on July 28, effectively weaponizing the vulnerability for a broader audience.

Amazon’s report adds the missing prequel: the same threat actor abusing Citrix Bleed 2 was also hitting a previously undocumented Cisco ISE endpoint with vulnerable deserialization logic—again, prior to public disclosure. That’s a coordinated dual zero-day posture.

IdentityAuditAction: A Web Shell Built for Ghost Mode

Once in, the attackers didn’t drop commodity web shells. They deployed a tailored implant Amazon tracks as “IdentityAuditAction” on Cisco ISE systems.

Highlights of the tradecraft:

  • Disguised as a legitimate ISE component, blending into native application structure and naming.
  • Registered itself as an HTTP listener, passively intercepting all incoming requests.
  • Used Java reflection to hook into Tomcat server threads—a deep integration that:
    • Avoids noisy auxiliary processes.
    • Rides existing application execution paths.
  • Employed DES encryption with non-standard Base64 encoding for command and control:
    • Obfuscates traffic.
    • Defeats simplistic content and pattern matching.
  • Required specific HTTP headers to activate, effectively implementing a “secret knock.”
  • Left minimal forensic traces, complicating both IR triage and long-tail investigations.

This isn’t smash-and-grab malware. It’s infrastructure-aware, vendor-fluent code written by operators who understand:

  • Java/Tomcat internals
  • Cisco ISE’s architecture and deployment models
  • How defenders typically log, parse, and hunt in identity platforms

Amazon refrained from naming a specific group, but the profile is clear: highly resourced, disciplined, with access to multiple zero-days and the engineering muscle to build bespoke implants.

The only oddity: targeting appeared broad rather than constrained to a tight list of high-value organizations, which is atypical for the most elite state-linked operators. That divergence raises possibilities—from misdirection, to access-broker behavior, to capability testing at scale.

Why This Campaign Should Worry Every Infrastructure Team

For security leaders and engineers, several underlying themes matter more than any single CVE:

  1. Edge and identity appliances are now Tier-0 targets.

    • These devices sit in privileged, trusted positions—with session data, tokens, auth flows, and policy engines.
    • They often lag behind standard server fleets in:
      • Patch cadence
      • Telemetry integration
      • EDR/forensics coverage
    • Result: perfect staging grounds for long-term, low-visibility compromise.

  2. Pre-disclosure exploitation is no longer exceptional.

    • The Citrix and Cisco flaws were in use before advisory publication.
    • This implies:
      • Dedicated vulnerability research pipelines.
      • Possible insider threat or advisory-leak scenarios, or simply superior bug-hunting.
    • Teams must plan under the assumption that critical edge bugs are weaponized before you ever see a CVE.

  3. Deserialization and web stack abuse remain chronic weak points.

    • The Cisco ISE bug hinges on unsafe deserialization—an old class of bug, still lethal in complex Java ecosystems.
    • IdentityAuditAction’s Tomcat thread injection shows that attackers assume—and exploit—deep familiarity with legacy and modern web stacks.

  4. Detection engineering must catch up with adversary engineering.

    • Traditional IOCs (file hashes, fixed paths, static signatures) are nearly useless against:
      • Custom web shells mimicking native components
      • Encrypted C2 with custom encodings
      • Multi-stage auth header triggers

This is an operator-versus-operator game now: your ability to observe and reason about your own infrastructure versus theirs.

Practical Takeaways for Defenders and Builders

For readers running NetScaler, Cisco ISE, or similar high-privilege appliances, this is the part to send directly into your incident response and architecture channels.

  1. Patch, but don’t stop at patching.

    • Immediately ensure:
      • Citrix NetScaler ADC/Gateway is updated for CVE-2025-5777.
      • Cisco ISE is updated for CVE-2025-20337.
    • Assume possible pre-patch compromise. Look back, not just forward.

  2. Hunt specifically for web shell and hook-like behavior.
    Consider targeted hunts on Cisco ISE and similar platforms for:

    • Unexpected Java classes, JARs, or resources named to resemble native modules.
    • HTTP listeners or filters added outside standard configuration paths.
    • Unusual use of reflection within Tomcat or custom servlet components.
    • Encrypted payloads or non-standard Base64 patterns in requests to management or admin paths.
    • Requests that only differ by specific, rare HTTP headers used consistently from a small IP set.

  3. Shrink the blast radius of appliance compromise.

    • Treat edge and identity platforms as high-value assets:
      • Isolate via strict ACLs and segmentation.
      • Prefer dedicated management networks over exposure via general admin VLANs.
      • Use firewall policies to limit who can talk to Citrix/Cisco appliances—and on which ports.
    • Assume credential/session theft:
      • Trigger reviews for SSO tokens, admin creds, device certificates if compromise seems plausible.

  4. Elevate observability around identity and edge.

    • Forward detailed logs (HTTP, configuration, auth, system) to your SIEM by default.
    • Normalize and parse web and app logs for:
      • Abnormal header patterns
      • Rare endpoints or parameters
      • Spikes of 500/4xx errors preceding successful access
    • If your monitoring excludes appliances because “they’re stable” or “they’re black boxes,” this campaign is your warning shot.

  5. For vendors and developers: stop treating appliances as special.

    • The Cisco ISE bug and its exploitation are another indictment of unsafe deserialization and insufficient hardening.
    • Security expectations for “appliances” must match—or exceed—cloud-native services:
      • Memory-safe components where possible
      • Aggressive input validation
      • Hardened deserialization strategies (or eliminating it entirely)
      • Built-in integrity checks for modules
      • Native telemetry and forensic hooks so defenders can see what’s happening under the hood

When the Gatekeepers Become Targets

The Citrix Bleed 2 and Cisco ISE zero-day campaign is not remarkable because it existed—by now, that’s expected. It’s remarkable because of what it selected: the systems we trust to mediate, secure, and authenticate everything else.

For organizations that have invested in zero trust, SSO, NAC, and segmentation, this operation hits at an uncomfortable truth: if your control plane is opaque and fragile, it is also exploitable. The answer is not paranoia; it’s parity. Give your identity and edge infrastructure the same rigor you give your production apps: modern engineering standards, real-time telemetry, aggressive patching, and practiced incident response.

The attacker in this story knew these systems better than many of the teams running them. That gap is the real vulnerability—and it’s one we can close.