Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Amazon: Cisco, Citrix 0-Days Indicate 'Advanced' Attacker

Amazon's MadPot honeypot uncovered zero-day exploits targeting Citrix and Cisco devices before patches were released, highlighting advanced tactics by a highly resourced threat actor.

  • On Wednesday, CJ Moses said Amazon's MadPot honeypot service detected active exploitation of Citrix NetScaler ADC and Cisco Identity Services Engine zero-days and shared an anomalous payload with Cisco.
  • On July 10, the Cybersecurity and Infrastructure Security Agency added the exploit to its known exploited vulnerabilities catalog, after Cisco disclosed CVE-2025-20337 on June 25 and Amazon traced exploitation to May.
  • Cisco's CVE-2025-20337 carries a CVSS 10 rating permitting remote root code execution, while the custom in-memory backdoor injected into Java threads and included the IdentityAuditAction web shell.
  • By mid-July, researchers recorded more than 11.5 million attack attempts, and Amazon disclosed active exploitation to Cisco, which informed customers within hours; CISA added the exploit to its known vulnerabilities list on July 10.
  • The attackers' use of multiple zero-days indicates advanced research capabilities or access to undisclosed flaws, Amazon said, reinforcing a focus on identity and network edge infrastructure and patch-gap exploitation, while Moses assessed prolonged access for espionage is the likely objective.
Insights by Ground AI
Podcasts & Opinions

12 Articles

Tech RadarTech Radar
Center

Hackers turn Cisco and Citrix zero-days into a malware nightmare

Another flaw, besides Citrix Bleed Two, is being exploited to deliver custom-built backdoors.

·United Kingdom
Read Full Article
CyberScoopCyberScoop
Center

Amazon pins Cisco, Citrix zero-day attacks to APT group

Amazon’s threat intelligence team said it observed an advanced persistent threat group exploiting zero-day vulnerabilities affecting Cisco Identity Service Engine and Citrix NetScaler products before the vendors disclosed and patched the defects last summer. Amazon’s MadPot honeypot service detected active exploitation of the critical defects — CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco — and through further investigation determined a h…

Read Full Article
The RegisterThe Register
Center

Amazon: Cisco, Citrix 0-days indicate 'advanced' attacker

: Vendors (still) keep mum

Read Full Article
Cybersecurity DiveCybersecurity Dive
Center

Sophisticated threat actor targeting zero-day flaws in Cisco ISE and Citrix

Hackers use custom malware to access multiple vulnerabilities, researchers from Amazon warn.

Read Full Article
BleepingComputerBleepingComputer
Center

Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks

An advanced threat actor exploited the critical vulnerabilities

Read Full Article
FredzoneFredzone

Cisco and Citrix Critical Faults Turned Into a Digital Nightmare

A new Amazon Threat Intelligence report reveals that cybercriminals are actively exploiting major loopholes in Cisco ISE and Citrix systems, allowing for full remote take-over. These sophisticated attacks are based on so-called zero-day vulnerabilities, i.e. unknown to publishers at the time of their exploitation, and have already generated a wave of ... Read more The article Cisco and Citrix's critical loopholes turned into a digital nightmare …

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 100% of the sources are Center
100% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

BleepingComputer broke the news in on Wednesday, November 12, 2025.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

Cisco icon

Cisco

Amazon icon

Amazon

Hacking icon

Hacking

News
Feed Dots Icon
For You
Search Icon
SearchBlindspot LogoBlindspotLocal