Hackers turn Cisco and Citrix zero-days into a malware nightmare

News
By published

Other flaws are being exploited besides Citrix Bleed Two

Trojan horse on top of blocks of hexadecimal programming codes. 3D illustration of the concept of online hacking, computer spyware, malware and ransomware.
(Image credit: Shutterstock)
  • CVE-2025-20337 enables unauthenticated remote code execution in Cisco ISE systems
  • Attackers deployed custom in-memory web shells with advanced evasion and encryption techniques
  • Exploits were widespread and indiscriminate, with no specific industry or actor attribution

“Sophisticated” threat actors have been using a maximum-severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts have claimed.

Amazon's threat intelligence team said it recently stumbled upon an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments, achieving pre-authentication remote code execution on compromised endpoints and providing administrator-level access to the systems.

The researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability which was also being exploited as a zero-day. The newly found bug is now tracked as CVE-2025-20337 and has been assigned a severity score of 10/10 (critical).

Hiding malware in custom fonts

“A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root,” the NVD page explains.

“The attacker does not require any valid credentials to exploit this vulnerability,” the advisory added, stressing that an attacker could exploit it by submitting a crafted API request.

The vulnerability was used to deploy a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction, Amazon further explained, noting the malware wasn’t typical, or off-the-shelf, but rather custom-built and designed specifically for Cisco ISE environments.

The web shell came with advanced evasion capabilities, including operating entirely in-memory, using Java reflection to inject itself into running threads, and registering as a listener to monitor all HTTP requests across the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding, and required knowledge of specific HTTP headers to access.

Amazon did not attribute the attacks to any particular threat actor, and said that the attacks were not targeted at any specific industry or organization. Instead, it was used indiscriminately and against as many organizations as possible.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.