An unidentified hacker group exploited the critical zero-day vulnerabilities CVE-2025-5777 in Citrix NetScaler and CVE-2025-20337 in Cisco Identity Service Engine. Amazon’s threat intelligence team discovered the attacks via their MadPot honeypot before the vulnerabilities became public knowledge.
Amazon’s MadPot honeypot detected exploitation attempts for Citrix Bleed 2 (CVE-2025-5777) before the vulnerability was publicly disclosed. This provided evidence that an attacker was already exploiting the leak. Through further investigation of the same attacker, Amazon also discovered a previously undocumented vulnerability in Cisco ISE, or a zero-day.
Citrix Bleed 2 involves an out-of-bounds memory read issue in NetScaler ADC and Gateway. Citrix published patches at the end of June. Although the vendor needed time to confirm that the vulnerability was being exploited in attacks, exploits appeared as early as the beginning of July. CISA then marked the vulnerability as actively exploited.
MadPot in action
MadPot is AWS’s honeypot program. It is a global network of secret digital targets designed to attract attackers so that their methods can be investigated. Tens of thousands of sensors record more than 100 million connection attempts to these honeypots every day. That raw telemetry is analyzed to extract malware samples, indicators of compromise, and exploit patterns, after which the insights end up in Amazon’s threat intelligence and security services such as GuardDuty, Shield, WAF, and Inspector.
In addition to detection, MadPot also uses that intelligence to actively disrupt threats. Through AWS network controls and collaboration with hosters and other internet players, malicious infrastructures can be blocked or taken offline, and customers and government agencies can be alerted. The system, originally set up by an AWS security engineer, has repeatedly helped identify advanced attack groups and prevent incidents, and is now a core component of Amazon’s cyber defense.
Cisco ISE under fire
The vulnerability in Cisco ISE (CVE-2025-20337) received the maximum CVSS score of 10.0. Cisco warned on July 17 that attackers could exploit it to store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
Within five days, Cisco repeated the warning about active exploitation of CVE-2025-20337. On July 28, security researcher Bobby Gould published technical details and an exploit chain.
According to a report shared by Amazon with BleepingComputer, both vulnerabilities were exploited in APT attacks before Cisco and Citrix released their initial security bulletins.
Advanced attack techniques
The hackers used CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints. They installed a custom webshell called “IdentityAuditAction,” disguised as a legitimate ISE component.
The webshell registered itself as an HTTP listener to intercept all requests. It injected itself into Tomcat server threads via Java reflection. To remain extra covert, the tool used DES encryption with non-standard base64 encoding. Accessing it required knowledge of specific HTTP headers and left minimal forensic traces.
The use of multiple unknown zero-days and advanced knowledge of Java/Tomcat internals and Cisco ISE architecture all point to a highly sophisticated attacker. However, Amazon was unable to attribute the activity to a known threat group.
Strikingly, the targeting appeared to be indiscriminate, which is inconsistent with the typically sharply defined attack route of targeted operations by advanced groups. Organizations are advised to apply the available security updates for CVE-2025-5777 and CVE-2025-20337. In addition, it is wise to restrict access to edge network devices via firewalls and network segmentation.