Overview
- Amazon’s MadPot honeypot spotted CitrixBleed 2 (CVE-2025-5777) exploitation before disclosure and linked the activity to a then-unknown Cisco ISE flaw (CVE-2025-20337).
- The attackers deployed a bespoke Cisco ISE web shell named IdentityAuditAction that ran entirely in memory, injected via Java reflection, registered an HTTP listener, and used DES with nonstandard Base64 plus secret headers to evade detection.
- Amazon traced the intrusions to May–June 2025, identified the pre-disclosure Cisco ISE exploitation in early July, and notified Cisco, which informed customers within hours.
- Citrix patched CVE-2025-5777 in June and Cisco fixed CVE-2025-20337 in July, and researchers observed more than 11.5 million post-disclosure attack attempts by mid-July.
- Amazon assesses a single, highly resourced threat actor likely seeking prolonged access for espionage and urges immediate patching and restricted access to edge management portals.