Hackers Actively Exploiting Cisco and Citrix 0-Days in the Wild to Deploy Webshell
An advanced hacking group is actively exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems. These attacks, spotted in real-world operations, allow hackers to deploy custom webshells and gain deep access to corporate networks.
The trouble started with Amazon’s MadPot honeypot service, a tool designed to lure and study cyber threats. It caught attempts to exploit a Citrix flaw known as “Citrix Bleed Two” (CVE-2025-5777) before anyone knew about it publicly. This zero-day lets attackers run code remotely without permission. Digging deeper, Amazon’s experts linked the same hackers to a hidden weakness in Cisco ISE, now called CVE-2025-20337. This bug uses faulty data handling, or “deserialization,” to let outsiders execute code before even logging in. The result? Full admin control over the affected systems.
Once inside, the hackers planted a sneaky custom webshell disguised as a normal Cisco part called “IdentityAuditAction.” Unlike basic malware, this one is built just for Cisco ISE. It runs entirely in the computer’s memory, avoiding files that forensics teams could easily spot. Using tricks like Java reflection, it hooks into the system’s web server (Tomcat) to watch all traffic. To hide commands, it encrypts them with DES and a weird Base64 twist, plus it checks for special web headers to activate.
Amazon’s analysis shows the group was widely blasting these exploits across the internet, not just targeting specific targets. Their tools show deep knowledge of Java apps, Tomcat, and Cisco’s setup, suggesting a well-funded team with insider vuln info or top research skills. This fits a growing pattern: attackers targeting edge defenses such as identity managers and remote gateways that guard entire networks.