What if you awoke one day to find a hacker had successfully breached your organization’s network and gone undetected by the safeguards in your identity and access management? That’s exactly what the Amazon Security Team uncovered when it announced the onset of a significant breach of its network as a result of zero-day exploits of a vulnerability that had been previously unknown in either Cisco Identity Services Engine (ISE) or Citrix NetScaler ADC / Gateway software products.
This article takes a look at the timeline of events surrounding this zero-day attack, what to expect, and how organizations can implement protective measures against such attacks going forward.
The zero-days that slipped under the radar
In the middle of 2025, the Amazon “MadPot” honeypot network detected anomalous attempts to exploit a vulnerability in Citrix NetScaler (CVE-2025-5777, also known as “Citrix Bleed 2” with a CVSS score of 9.3), which had been identified by Amazon.
In addition to the above, Amazon found a second vulnerability related to Cisco ISE (CVE-2025-20337), a remote code execution vulnerability that allowed an unauthenticated user to obtain root access to the infected device(s). This vulnerability received the maximum CVSS score of 10.0.
What is troubling about the simultaneous exploitation of both CVEs is that the exploits began prior to either CVE being published or patched; the Citrix vulnerability was exploited as early as May, months before Citrix issued its advisory, and the Cisco ISE vulnerability was being exploited before being assigned a CVE # or fixed.
A custom attack tailored for stealth
This was not a simple attack using pre-existing malware. The hackers created a special web shell designed to look like an authentic part of Cisco's ISE called "IdentityAuditAction." The shell was entirely present in memory; it injected itself into a running Tomcat Server using Java reflection and recorded every HTTP request sent to it. The data communicated between this shell and its creator was encrypted with DES and encoded in a highly unusual form of Base64, making it virtually impossible for most antivirus or anti-malware applications to detect it. To gain access, attackers needed to supply specific HTTP headers known only to them.
This indicates that the threat actor is likely a highly resourced and sophisticated attacker who has developed specialized tools, has a deep understanding of how enterprise Java works, is familiar with Cisco's ISE mechanisms, and possesses in-memory encryption techniques. Amazon Security has stated that they do not know what group committed these attacks and cannot confirm that they were connected, due to a lack of conclusive evidence.
Why your edge devices may be at risk
Many organizations have an idea of how they want to protect their identity management system or VPN connections based on the fact that the systems are securely maintained, behind firewalls, updated, and protected. However, as this attack illustrates, even "well-maintained and configured" access systems can be compromised when attackers use zero-day attacks.
Identity management systems and network-access control systems serve as a foundation for the creation of enterprise-wide security; however, once compromised, an attacker can gain complete control over all aspects of a company's infrastructure, allowing for extensive infiltration if and when needed. This attack directly demonstrates how identity management and VPN gateway appliances served as platforms from which the attacker was able to establish a means of access to the enterprise.
What every organization must do today
- Patch immediately: Ensure Citrix NetScaler (addressing CVE-2025-5777) and Cisco ISE (patching CVE-2025-20337 and related flaws) are updated as per vendor advisories.
- Segregate access: Don’t expose management portals; place such devices behind firewalls, VPNs, or segmented networks. Limit direct internet-facing access.
- Deploy monitoring & detection tools: Watch for anomalous in-memory activity, strange HTTP traffic, or unexpected internal communications. Treat identity platforms with the same scrutiny as public-facing servers.
- Embrace defense-in-depth: Network segmentation, regular vulnerability assessment, honeypots, and vigilant observability must become standard parts of security hygiene.
The takeaway
Amazon's publicised campaign has shown how far hackers have come (from targeting applications/endpoints to now also targeting the core systems companies depend on to maintain trust). The fact that these attacks occurred before patches were developed means that a reactive approach to security is insufficient.
When it comes to protecting your organisation's identity/access infrastructure, the best course of action is to PATCH MONITOR and RETHINK your company network architecture because when your identity systems fail, your entire foundation begins to fall apart!
