Double 0-day Against Cisco and Citrix — Amazon Records APT-Level Attack on the Core of Corporate Security
Assaults on authentication infrastructure are becoming more covert and synchronized.
Amazon has reported a sophisticated cyberattack in which threat actors simultaneously used two zero-day vulnerabilities—in products from Citrix and Cisco. According to the company's Chief Information Security Officer, CJ Moses, an unknown group gained access to systems by exploiting the flaws before they were publicly disclosed and deployed custom-made malware.
The incident was detected by Amazon's MadPot honeypot network. It identified intrusion attempts exploiting vulnerability CVE-2025-5777 in Citrix NetScaler ADC and NetScaler Gateway—an out-of-bounds memory read error. This allowed an attacker to remotely read the device's memory contents and obtain sensitive session data. The vulnerability was unofficially named CitrixBleed 2, drawing a parallel to a previous bug hackers used to steal user authorization tokens.
Citrix published a patch on June 17; however, subsequent observations revealed that the exploit was actively used even before the patch was released. By early July, the US Cybersecurity and Infrastructure Security Agency (CISA) and independent researchers confirmed the exploitation of the vulnerability, which allowed for the interception of user sessions.
While Amazon specialists were analyzing the Citrix attack, they discovered another malicious component, this time targeting Cisco Identity Services Engine. It was found to be using a previously undocumented network endpoint vulnerable due to a data deserialization error. The information was passed to Cisco, and the company later assigned this bug the identifier CVE-2025-20337.
This second vulnerability received the maximum severity score—10.0 on the CVSS scale. It allowed remote, unauthenticated attackers to execute arbitrary code on the server with root privileges. According to Moses, it was particularly alarming that the attacks began before Cisco had officially registered the vulnerability and released comprehensive updates. Such "exploitation in the window between patches" is considered a typical technique of well-prepared actors who monitor code changes and instantly turn discovered errors into attack tools.
After breaching the Cisco ISE, the hackers installed a custom backdoor designed specifically for this platform. It operated solely in memory, leaving almost no traces, and injected itself into active Java processes using a reflection mechanism. The malware registered itself in the system as an HTTP listener, intercepting all Tomcat server traffic. For stealth, it used DES encryption and non-standard Base64 encoding, and access to its control required knowledge of specific HTTP headers. Based on the totality of the evidence, specialists concluded that the attack originated not from random hackers, but from a group deeply familiar with the Cisco ISE architecture and corporate Java applications.
The fact that they simultaneously possessed exploits for both CitrixBleed 2 and CVE-2025-20337 indicates a high level of preparation by the threat actors. Such capabilities are typically only available to a team with its own vulnerability researchers or access to non-public information about them. Neither Cisco nor Citrix has yet disclosed who was behind the attacks or the objectives of the operation.
According to the assessment of the Amazon Threat Intelligence team, this incident is a prime example of an increasingly dangerous trend: major APT groups are using multiple vulnerabilities simultaneously to breach critical service systems—those responsible for authentication, access control, and network policy in corporate infrastructures.
