Amazon security team recently revealed that a well-resourced threat actor exploited two zero-day vulnerabilities in critical network and identity systems developed by Cisco and Citrix. These sophisticated attacks targeted network access control infrastructure and delivered custom malware. One of the vulnerabilities CVE-2025-20337 allowed unauthenticated remote code execution on the Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector. Its maximum severity rating of 10.0 signals how dangerous it turned out to be. The other flaw CVE-2025-5777 affected Citrix NetScaler ADC and Gateway products, allowing attackers to bypass authentication altogether (CVSS score: 9.3).
Amazon traced these attacks using its MadPot honeypot network and found that the campaign did more than scrape public exploits. The adversary used a bespoke web shell dubbed IdentityAuditAction. Designed to run in memory and mask itself as a core Cisco ISE component. It monitored HTTP traffic in Tomcat threads and employed non-standard Base64 encryption of DES-encrypted data to stay hidden.
By zeroing in on identity and network access infrastructure the attackers leveraged some of the most sensitive systems enterprises depend on. As Amazon CISO CJ Moses noted, the fact that the attack chain began with pre-authentication access renders even well-maintained systems vulnerable.
From a defence perspective this incident highlights several important lessons. First, organisations need to assume that adversaries will exploit right at the perimeter and inside hardened infrastructure. That means administrators must apply layered controls and strict monitoring to management consoles, identity engines, and VPN gateways. Second, security teams must sharpen their detection capabilities. Custom, in-memory malware that masquerades as legitimate software demands anomaly detection rather than just signature-based tools.
Yet implementing these measures at scale remains difficult. Many enterprises operate legacy appliances or use default configurations without strict compartmentalisation. When identity servers or network focus points are compromised, lateral movement becomes far easier. The campaign unearthed by Amazon shows how quickly an attacker can move from exploitation to custom payload deployment.
Looking ahead this case will likely ripple across vendor-client relationships. Suppliers of network and identity infrastructure may face increased pressure to provide not only patches but transparent disclosures about exploit chains and protection strategies. Clients, for their part, will have to accelerate asset inventory, patching and threat-hunting programmes to account for adversaries who now weaponise zero-day flaws with enterprise-grade tools.
In summary the Amazon disclosure reframes how organisations should think about security appliances. Vulnerabilities in identity or network control layers can no longer be considered niche or edge cases they represent prime targets. Stopping the next breach will require aligning people, process and technology around resilience rather than just detection.
