You are currently viewing Pre-Auth and Persistent: How a Sophisticated APT Targeted Cisco ISE and Citrix Gateways

Pre-Auth and Persistent: How a Sophisticated APT Targeted Cisco ISE and Citrix Gateways

  • Post author:
  • Reading time:5 mins read

Amazon’s security teams have made a critical discovery, revealing a sophisticated Advanced Persistent Threat (APT) campaign actively exploiting zero-day vulnerabilities in two widely deployed enterprise solutions: Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC/Gateway products. This finding highlights the persistent threat posed by highly skilled and resourceful actors. The attacks leverage previously unknown flaws to gain and maintain unauthorized access, underscoring the urgent need for heightened vigilance and swift remediation across affected networks.

Vulnerabilities and Exploit Details

Two principal zero-day (and pre-public) vulnerabilities are involved:

  • CVE?2025?20337: a previously undocumented vulnerability in Cisco Identity Services Engine (ISE) (including ISE Passive Identity Connector) which allowed pre-authentication remote code execution.
  • CVE?2025?5777: also referred to as “CitrixBleed2”, an insufficient input-validation vulnerability in Citrix NetScaler ADC / Gateway.

Cisco’s vulnerability (CVE-2025-20337) enables unauthenticated remote code execution (RCE) on Cisco ISE deployments, giving attacker root / administrator-level privileges. In particular, the APT used a vulnerable deserialization endpoint in Cisco ISE to execute code.

The Citrix vulnerability (CVE-2025-5777) involves insufficient input validation in NetScaler ADC / Gateway (configured as VPN virtual server, ICA proxy, CVPN, RDP proxy or AAA virtual server) which could be exploited to bypass authentication or arbitrary code execution.

Exploitation Techniques Discovered

Amazon’s honeypot service (MadPot) detected exploitation attempts for CVE-2025-5777 prior to public disclosure, indicating live zero-day use. The same threat actor used a payload targeting Cisco ISE that exploited CVE-2025-20337.

Once the vulnerability was exploited, the actor deployed a custom web shell, masqueraded as a legitimate component named “IdentityAuditAction” in Cisco ISE. The specifics:

  • The web shell runs entirely in memory, leaving minimal forensic disk artifacts.
  • It uses Java reflection to inject itself into running threads.
  • It registers as a listener on the Tomcat server that serves HTTP requests, monitoring all inbound HTTP traffic.
  • The shell implements DES encryption with non-standard Base64 encoding to evade detection and requires specific HTTP headers for access.
  • A code snippet in the blog shows: reading the request body, replacing characters (“*” -> “a”, “$” -> “l”), using DES/ECB/PKCS5Padding with hard-coded key “d384922c”.

These details suggest a deep understanding of enterprise Java applications, Tomcat internals, as well as the architectural specifics of Cisco ISE, implying that the actor was “highly resourced” either via advanced vulnerability research or access to non-public vulnerability information.

Key Technical Takeaways

  • Pre-authentication RCE in identity infrastructure is a worst-case scenario: no credentials required to initiate exploitation (in the case of Cisco ISE vulnerability).
  • In-memory web shell allows persistence without leaving obvious disk traces; the use of Java reflection and thread injection complicates detection by typical endpoint/host-based EDR.
  • Monitoring all HTTP requests via listener on Tomcat gives the actor full visibility/control of the appliance’s web interface, and can facilitate lateral movement or further exploitation.
  • The Citrix vulnerability demonstrates that access-edge appliances (VPN gateways, ICA, RDP proxies) remain high-value targets for attackers aiming to establish footholds.
  • The “weaponisation gap” (the interval between vulnerability discovery and patch deployment) is being exploited. Amazon observed “indiscriminate” Internet-targeting of these vulnerabilities.

Impact and Exploitation

For organisations deploying Cisco ISE or Citrix NetScaler/ADC/Gateway, the implications are profound:

  • Compromise of Cisco ISE via pre-auth RCE means adversaries can gain full root-level access to infrastructure managing identity, device posture, and network access control. This essentially gives attackers the “keys to the kingdom” of authentication/authorization infrastructure.
  • Since the web shell is memory-resident and stealthy, detection and remediation are far more difficult than a typical malware insertion. The attacker can persist in the appliance, monitor traffic, pivot, and elevate privileges further into the network.
  • For remote access/VPN/edge appliances (Citrix NetScaler etc), exploitation means bypassing auth or executing code, thereby opening up the internal network to unauthorized access. The risk is especially high for organisations exposing these services to the Internet.
  • Even properly configured and maintained systems can be affected due to pre-authentication nature of the attacks.

Amazon’s intelligence indicates that exploitation was already occurring before public disclosure (zero-day). Their honeypots detected attempts targeting CVE-2025-5777 for Citrix in May 2025. They further found that the same actor had moved to target Cisco ISE using CVE-2025-20337.

The campaign is described as “indiscriminate” and “targeting the internet” – that is, the actor was scanning or accessing widely rather than only profiling select targets. This emphasizes that the threat is not limited to highly-targeted organizations; any enterprise exposing these systems to the Internet or without strong segmentation is at risk.

Products Affected

VendorProductVulnerabilityImpactAffected Versions
CiscoIdentity Services Engine (ISE)CVE-2025-20337Pre-auth RCEISE & ISE-PIC 3.3 and 3.4 prior to 3.3 Patch 7 and 3.4 Patch 2
CitrixNetScaler ADC / NetScaler GatewayCVE-2025-5777Insufficient input validation / bypass auth / potential RCE14.1 <14.1-43.56; 13.1 <13.1-58.32; 13.1-FIPS/NDcPP <13.1-37.235; 12.1-FIPS <12.1-55.328

Solutions and Mitigations

  1. Apply Patches / Upgrades
    • For Cisco ISE: Upgrade to either 3.3 Patch 7, 3.4 Patch 2 or later.
    • For Citrix NetScaler ADC / Gateway: Upgrade to 14.1-43.56, 13.1-58.32, FIPS/NDcPP 13.1-37.235, FIPS 12.1-55.328 or later.
  2. Restrict Access to Management and Edge Appliances
    • Limit inbound access to management interfaces (e.g., Cisco ISE, NetScaler) via strong firewall rules or VPN-only access. Amazon explicitly recommends limiting access through firewalls or layered access to privileged appliance endpoints.
    • Ensure that devices are not exposed directly to the Internet unless absolutely required, and that access is logged, alerting is enabled, and traffic is monitored.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.