Active Campaign Uses Cisco and Citrix 0-Days to Deploy Persistent Webshells

Advanced threat actors are actively exploiting previously undisclosed zero-day vulnerabilities in critical enterprise systems, deploying custom webshells to establish administrative access across compromised networks.

Amazon’s threat intelligence team has uncovered a coordinated cyber campaign targeting Cisco Identity Service Engine (ISE) and Citrix systems, revealing the tactics of a highly sophisticated adversary with deep expertise in enterprise environments.

The threat was initially detected through Amazon’s MadPot honeypot service, which identified exploitation attempts against the Citrix Bleed Two vulnerability before public disclosure.

This early discovery demonstrated that threat actors had already weaponized the vulnerability in active attacks.

During their investigation, Amazon Threat Intelligence discovered a companion zero-day affecting Cisco ISE, exploiting a deserialization vulnerability on an undocumented endpoint to achieve pre-authentication remote code execution.

The critical nature of CVE-2025-20337 lies in its ability to grant attackers administrator-level access without requiring valid credentials, a devastating capability in any enterprise environment.

The timing of these exploits reveals a troubling pattern: sophisticated threat actors were actively exploiting both vulnerabilities as zero-days while indiscriminately targeting internet-exposed systems.

This campaign demonstrates a highly resourced adversary with advanced vulnerability research capabilities or potential access to non-public vulnerability information.

CVE ID	Affected Product	Severity	Status
CVE-2025-20337	Cisco Identity Service Engine (ISE)	Critical	Zero-day (Active Exploitation)
CVE-2025-5777	Citrix Systems	Critical	Zero-day (Active Exploitation)

Custom Webshell Evasion and Persistence Techniques

Following successful exploitation, attackers deployed a sophisticated custom webshell masquerading as a legitimate Cisco ISE component named IdentityAuditAction.

This custom-built backdoor represents professional-grade development, engineered explicitly for Cisco ISE environments and featuring advanced evasion capabilities to bypass traditional security detection mechanisms.

The webshell demonstrated remarkable sophistication in its operational approach. It operated entirely in memory, leaving minimal forensic evidence that would typically alert security teams.

The attackers leveraged Java reflection to inject themselves into running application threads and registered as an HTTP request listener on the Tomcat server.

To further obfuscate their activities, the threat actor implemented non-standard DES encryption paired with custom Base64 encoding, techniques specifically designed to bypass traditional detection systems.

Access to the webshell required knowledge of specific HTTP headers and an additional authentication layer, demonstrating professional-grade development practices characteristic of nation-state or well-funded cybercriminal groups.

The attacker’s custom tooling reveals deep expertise in enterprise Java applications, Tomcat internals, and Cisco ISE architecture knowledge not typically available in publicly accessible documentation.

Organizations must recognize that identity management systems and remote access infrastructure remain prime targets for advanced threat actors.

Security teams should implement defense-in-depth strategies with robust anomaly detection capabilities to detect unusual behavior.

Additionally, implementing firewall-based access restrictions to privileged security appliance endpoints and management portals can significantly limit exposure to these devastating pre-authentication exploits.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Active Campaign Uses Cisco and Citrix 0-Days to Deploy Persistent Webshells appeared first on Cyber Security News.