A sophisticated campaign targeting enterprise network infrastructure surfaced in the recent findings of Amazon’s threat intelligence team, revealing active exploitation of previously undisclosed vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler. The attacks were detected before either company publicly confirmed or patched the issues, highlighting the persistent and evolving threat posed by advanced hacking groups. As businesses depend on these products for critical identity and network management, the early exploitation raises concerns about existing security postures and the speed at which threat actors move. Amazon’s own monitoring infrastructure, MadPot, played a key role in catching initial activity linked to this campaign, raising questions about industry-wide detection capabilities.
Earlier disclosures regarding similar vulnerabilities did not involve pre-release exploitation on this scale, nor did they highlight such coordinated activity across vendors. Conventionally, vendors have announced critical vulnerabilities shortly after attackers begin targeting them, but this incident demonstrates a considerable gap between threat actor operations and vendor response. The rapid timeline and cross-platform nature of these exploits mark a notable shift in adversary behavior, amplifying the need for enhanced real-time detection and collaboration among major technology providers.
How Did Amazon Detect the Early Attacks?
Detection efforts relied on Amazon’s MadPot honeypot service, which logs and analyzes suspicious internet activity. Unusual scanning and exploitation behaviors targeting CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco were detected, prompting deeper investigation by Amazon security teams. Through this, analysts identified a well-resourced group leveraging zero-day bugs before any public advisory or fix was available. CJ Moses, the company’s chief information security officer, explained:
“We assess with high confidence it was the same threat actor observed exploiting both vulnerabilities.”
What Methods Did Attackers Use Against Cisco and Citrix?
The threat group demonstrated significant technical capability, using custom-developed malware specifically built for Cisco ISE environments and equipped with mechanisms to evade detection. This backdoor exploited flaws in Cisco’s enterprise Java and Tomcat implementation. Moses noted the attacker’s proficiency, stating:
“The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals and the specific architectural nuances of the Cisco ISE.”
The attackers initiated these efforts weeks before the official disclosure from vendors, further demonstrating advanced planning and reconnaissance.
How Did Cisco and Citrix Respond to the Findings?
After Amazon’s disclosure, Cisco informed affected customers within hours about the CVE-2025-20337 exploit, following its official advisory released on June 25. Citrix responded similarly regarding CVE-2025-5777, known as CitrixBleed 2, after noticing similarities with earlier vulnerabilities in the same product line. These efforts coincided with a public surge in attack attempts, which reached millions within a few weeks of exposure. The Cybersecurity and Infrastructure Security Agency took additional steps by cataloging the Citrix vulnerability among actively exploited threats on July 10, further affirming its significance within the cybersecurity landscape.
Amazon’s decision to wait before broadly sharing details about ongoing zero-day exploitation remains unexplained. The company did not provide information about more recent attacks or the precise impact on end clients. While no details surfaced regarding the group’s identity, the use of advanced exploitation methods and custom tooling indicates access to privileged research capability or confidential vulnerability information. The company characterized the objective as likely long-term espionage rather than immediate disruption, a stance echoed by industry experts analyzing threat group behaviors.
Infosec developments surrounding Cisco and Citrix have garnered significant attention over the years, often focused on patch effectiveness and public disclosure practices. The current attacks illustrate that adversaries adapt rapidly and actively seek identity and edge network weaknesses, especially as businesses diversify platform use. Large-scale incidents such as this highlight the importance of coordinated information-sharing between vendors, security companies, and government agencies to limit exposure windows and contain adversary activity quickly. Enterprises operating critical infrastructure should reassess patch management programs, accelerate adoption of detection technologies like honeypots, and stay updated on vendor advisories. Timely identification of new attack techniques and collaborative defense measures will play a crucial role in reducing risks tied to zero-day threats in the future.
