Zero-Day Siege: Attackers Exploit Cisco ISE & Citrix Vulnerabilities to Deploy Stealth Webshells

Zero-Day Siege: Attackers Exploit Cisco ISE & Citrix Vulnerabilities to Deploy Stealth Webshells

A newly uncovered cyber campaign is exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix infrastructure, enabling attackers to deploy stealth, memory-resident webshells and gain full administrative control over enterprise networks.

Amazon’s Threat Intelligence team identified the campaign through their MadPot honeypot network, uncovering early weaponization of two previously unknown vulnerabilities — one affecting Citrix and another targeting Cisco ISE.

This multi-zero-day operation reveals a highly resourced, technically mature adversary capable of discovering, engineering, and exploiting critical weaknesses before vendors released patches.

🧨 Zero-Day #1: Citrix “Bleed Two” Exploited Before Disclosure (CVE-2025-5777)

Amazon observed active exploitation attempts before Citrix publicly acknowledged the flaw.
This means threat actors already developed functional exploits — a hallmark of elite threat groups with access to advanced vulnerability research capabilities.

🧨 Zero-Day #2: Cisco ISE Compromised via Undocumented Endpoint (CVE-2025-20337)

During further investigation, Amazon uncovered a second zero-day targeting identity infrastructure:

CVE-2025-20337 — a pre-authentication remote code execution vulnerability caused by unsafe deserialization on an undocumented Cisco ISE endpoint.

Impact:

• No credentials required

• Full administrative access granted

• Ability to execute arbitrary code

• Direct compromise of identity enforcement and network access controls

The exploitation occurred before Cisco released complete patches, suggesting attackers were either monitoring pre-release changes or had access to non-public information.

🕵️‍♂️ Custom Memory-Resident Webshell: Engineered for Stealth

After breaching Cisco ISE systems, the attackers deployed a custom-built webshell disguised as a legitimate component:

IdentityAuditAction — The Fake Cisco Module

The malicious webshell featured:
✔ Memory-only operation (minimal forensic footprint)
✔ Java reflection to inject into active application threads
✔ Registration as a Tomcat HTTP request listener
✔ Custom DES encryption with nonstandard Base64 encoding
✔ Hidden access requiring special HTTP headers and second-layer authentication

This wasn’t commodity malware — it was tailor-made for Cisco ISE environments by operators with deep knowledge of:

• Enterprise Java frameworks

• Tomcat internals

• Cisco ISE’s architecture and module hierarchy

In short, this was a professional-grade backdoor designed for long-term stealth and persistence.

🎯 Targeting Strategy Indicates a High-Tier Adversary

Amazon’s telemetry shows attackers indiscriminately scanning and exploiting internet-exposed systems, leveraging both zero-days in parallel.

This operational pattern suggests:

• Access to proprietary vulnerability intelligence

• Expert-level reverse engineering capabilities

• Ability to rapidly deploy new tooling

• A goal of widespread foothold acquisition across global networks

Identity management systems and remote-access gateways — like Cisco ISE and Citrix — remain prime targets for threat actors because compromising them provides direct access to authentication flows, network segmentation, and enterprise trust boundaries.

🛡️ Elliptic Systems Recommendations

1️⃣ Implement Immediate Access Restrictions

Restrict external access to all Cisco ISE and Citrix management interfaces using:

• Firewall segmentation

• Zero Trust network rules

• IP allowlisting

2️⃣ Deploy Full Defense-in-Depth Monitoring

Identity systems must be monitored like domain controllers. Prioritize:

• Tomcat thread integrity checks

• Memory inspection for unauthorized listeners

• Web request header anomaly detection

• Sudden access to undocumented endpoints

3️⃣ Hunt for Webshell Indicators of Compromise

Especially memory-resident artifacts tied to:

• IdentityAuditAction

• Custom DES ciphertext

• Non-standard Base64 patterns

4️⃣ Apply Vendor Patches Immediately

Cisco and Citrix have released security updates — but exploitation began before patch availability, so patching alone is insufficient.
Run full compromise assessments immediately.

5️⃣ Review Identity Trust Boundaries

Because Cisco ISE was targeted, ensure:

• Authentication flows are verified

• Network access policies are intact

• Administrative roles haven’t been modified

🔐 Elliptic Systems Perspective

This campaign is a clear reminder:
Zero-day exploitation isn’t reserved for nation-states anymore — it’s becoming a normalized tactic in the global threat landscape.

Identity platforms, access control systems, and network edge appliances represent the new high-value targets in hybrid enterprises. Once compromised, attackers gain leverage across the entire ecosystem.

Organizations must strengthen visibility, harden access points, and prepare for the reality that identity infrastructure is now ground zero in modern cyber warfare.