Exploitation of Zero-Day Vulnerabilities in Citrix and Cisco Systems

Recent cybersecurity developments have highlighted the exploitation of critical vulnerabilities in Citrix NetScaler ADC and Gateway, known as "Citrix Bleed 2" (CVE-2025-5777), and Cisco Identity Service Engine (ISE) (CVE-2025-20337). These vulnerabilities were exploited as zero-days by an advanced threat actor to deploy custom malware. The Citrix Bleed 2 vulnerability involves an out-of-bounds memory read issue, while the Cisco ISE flaw allows unauthenticated attackers to execute arbitrary code or gain root privileges. Both vulnerabilities were exploited before public disclosure and patch availability, underscoring the sophistication of the threat actor involved.

Amazon's threat intelligence team, through their "MadPot" honeypot data, detected exploitation attempts for these vulnerabilities prior to their public disclosure. This indicates that the threat actor had advanced knowledge and capabilities to exploit these flaws as zero-days. The exploitation of these vulnerabilities involved deploying a custom web shell named 'IdentityAuditAction' on Cisco ISE endpoints, which was disguised as a legitimate component and used advanced techniques to evade detection.

The indiscriminate targeting of these vulnerabilities suggests a deviation from the typical focused operations of advanced threat actors. Despite the lack of attribution to a known threat group, the use of multiple zero-day flaws and deep knowledge of Java/Tomcat internals and Cisco ISE architecture point to a highly resourced adversary. Organizations are urged to apply available security updates for these vulnerabilities and implement network access controls to mitigate potential risks.

Threats and Vulnerabilities

The Citrix Bleed 2 vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway is an out-of-bounds memory read issue that was exploited as a zero-day. This vulnerability allows attackers to read sensitive memory contents, potentially leading to unauthorized access or data leakage. Exploits for this vulnerability became available in early July, and it has been tagged by CISA as actively exploited.

CVE-2025-20337 affects Cisco Identity Service Engine (ISE) and has a maximum severity score. It allows unauthenticated attackers to store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices. The vulnerability was publicly disclosed on July 17, with active exploitation reported shortly thereafter. The exploitation involved deploying a custom web shell that used advanced evasion techniques, such as DES encryption with non-standard base64 encoding and minimal forensic traces.

The threat actor's use of these vulnerabilities involved leveraging pre-auth admin access to Cisco ISE endpoints and deploying a web shell disguised as a legitimate component. This web shell intercepted HTTP requests and injected into Tomcat server threads using Java reflection, demonstrating advanced knowledge of the target systems.

Client Impact

The exploitation of these vulnerabilities poses significant risks to organizations, including potential operational disruptions, data breaches, and financial losses. The ability of attackers to gain unauthorized access and execute arbitrary code on critical systems can lead to severe consequences, such as loss of sensitive data or system downtime. Additionally, the use of advanced evasion techniques makes detection and response more challenging.

From a compliance perspective, organizations may face regulatory challenges if these vulnerabilities are exploited, leading to potential audits or penalties. The failure to apply timely security updates or implement adequate access controls could result in non-compliance with industry regulations and standards.

Mitigations

To mitigate the risks associated with these vulnerabilities, organizations should take the following actions:

1. Apply the latest security updates for CVE-2025-5777 and CVE-2025-20337 to affected systems promptly.
2. Implement network segmentation and limit access to edge network devices through firewalls and access controls.
3. Monitor network traffic for anomalous activity that may indicate exploitation attempts or unauthorized access.
4. Conduct regular security assessments and penetration testing to identify potential vulnerabilities in your environment.
5. Educate employees about phishing attacks and social engineering tactics that may be used to exploit these vulnerabilities.

By taking these steps, organizations can reduce their exposure to these threats and enhance their overall security posture. Continuous monitoring and timely application of security patches are crucial in defending against sophisticated threat actors exploiting zero-day vulnerabilities.

1898 & Co. Response

1898 & Co. is actively addressing the current threat landscape by offering specialized services designed to mitigate emerging threats like those posed by the Citrix Bleed 2 and Cisco ISE vulnerabilities. Our team provides tailored vulnerability assessments and penetration testing services to identify potential weaknesses in client environments before they can be exploited by adversaries.

We have updated our security protocols to incorporate the latest threat intelligence insights, ensuring our clients benefit from cutting-edge defenses against zero-day exploits. Our collaborative efforts with industry partners enable us to share critical information about emerging threats and coordinate effective responses.

Our ongoing research into advanced threat actors and their tactics allows us to provide clients with actionable intelligence that informs their security strategies. By leveraging our expertise in industrial control systems (ICS) security, we help clients implement robust defenses aligned with industry standards such as IEC 62443.

Sources

1. CISA Advisory on Citrix Bleed 2 Exploitation
2. Cisco Security Bulletin for CVE-2025-20337
3. CVE Details for CVE-2025-20337

Exploitation of Zero-Day Vulnerabilities in Citrix and Cisco Systems