Amazon’s threat intelligence team revealed that an advanced threat actor was using two then-zero-day security flaws in Citrix NetScaler ADC and Cisco Identity Service Engine (ISE) products as part of attacks intended to distribute bespoke malware.
“This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks,”
said CJ Moses, CISO of Amazon Integrated Security.
The tech giant reported that in May 2025, it discovered exploitation attempts targeting CVE-2025-5777 as a zero-day. Subsequent analysis into the issue revealed an unusual payload that weaponized CVE-2025-20337 to target Cisco ISE appliances.
The implementation of IdentityAuditAction, a custom web shell that poses as a genuine Cisco ISE component, is reportedly the result of the action.
“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments,”
Moses said.
Amazon characterized the threat actor as “highly resourced” due to its capacity to use numerous zero-day vulnerabilities, either by having access to non-public vulnerability information or by having sophisticated vulnerability research capabilities. The campaign was described as indiscriminate.
