An unnamed advanced persistent threat (APT) group exploited zero-day vulnerabilities in Citrix NetScaler ADC and Gateway, dubbed “CitrixBleed 2,” and a critical flaw in Cisco Identity Service Engine (ISE). The attacks targeted essential identity and network access control infrastructure.
Amazon’s threat intelligence team initially uncovered these sophisticated attacks. They highlight a growing trend where highly capable adversaries leverage previously undisclosed vulnerabilities. Attackers exploited these foundational systems—critical for enforcing security policies and managing authentication—weeks before public patches became available. This left organizations vulnerable, even if they applied updates promptly.
The CitrixBleed 2 vulnerability (CVE-2025-5777), a critical flaw with a CVSS v4.0 score of 9.3, affects NetScaler ADC and Gateway systems. Insufficient input validation causes a memory overread when NetScaler operates as a Gateway or AAA virtual server. Security researcher Kevin Beaumont first publicly identified active exploitation, noting its resemblance to the original CitrixBleed (CVE-2023-4966). Amazon’s “MadPot” honeypot service later corroborated Beaumont’s findings. It detected CVE-2025-5777 exploitation attempts before Citrix patched the flaw on June 17, 2025. This indicated threat actors had exploited the bug as a zero-day for roughly a month. Attackers can leverage this vulnerability to join NetScaler sessions, establish Citrix Virtual Desktop sessions, or hijack active NetScaler administrator sessions.
The same advanced threat actor concurrently targeted Cisco’s Identity Service Engine with a “max-critical” bug, CVE-2025-20337. This flaw earned a perfect CVSS v3.1 score of 10.0. The vulnerability affects specific APIs in Cisco ISE and ISE-PIC. It lets an unauthenticated, remote attacker execute arbitrary code on the underlying operating system with root privileges. Insufficient validation of user-supplied input roots the flaw, allowing attackers to achieve pre-authentication remote code execution via crafted API requests. Researchers observed exploitation in the wild before Cisco assigned a CVE identifier or released comprehensive patches. This “patch-gap” left systems vulnerable without immediate remediation options.
The unnamed APT group used custom malware in their campaign. This demonstrated high sophistication and a focused effort to compromise critical identity and network access control points. By strategically targeting authentication and policy enforcement systems, attackers can establish persistent access and control over enterprise environments. This pre-disclosure exploitation of zero-days, known as “patch-gap” exploitation, signifies a concerted effort by advanced adversaries. They monitor security updates and rapidly weaponize vulnerabilities before defenders fully mitigate risks.
These simultaneous zero-day campaigns against widely deployed infrastructure components underscore the persistent challenge organizations face. Advanced persistent threats actively seek to exploit the most critical junctions of network security.
Key takeaway: Organizations should:
- Apply available patches for Citrix NetScaler ADC/Gateway (CVE-2025-5777) and Cisco ISE (CVE-2025-20337) immediately.
- Review logs for any signs of exploitation, especially related to authentication and network access control systems.
- Implement strong monitoring for critical identity infrastructure to detect unusual activity.