Overview
- Amazon's MadPot detected pre-disclosure exploitation of Citrix Bleed 2 (CVE-2025-5777), confirming zero-day use.
- Investigators linked the same threat to Cisco ISE CVE-2025-20337 and observed deployment of a bespoke in-memory web shell named IdentityAuditAction.
- The backdoor injected with Java reflection, monitored all Tomcat HTTP requests, and used DES with non-standard Base64 to minimize traces.
- Amazon traced Cisco ISE exploitation to May and June, prior to Cisco's late-June advisory and subsequent July warnings.
- Vendors issued patches in June–July 2025, CISA flagged active exploitation, and organizations are urged to update and restrict exposure of management portals.