Citrix Custom Malware Incident Exposes Coordinated Zero-day Exploitation

According to an article by The Register’s Jessica Lyons, an advanced threat actor used zero-day exploitation in both Citrix and Cisco technologies to deploy custom malware, according to Amazon’s security team. A zero-day is a vulnerability or security flaw in a computer system that is unknown to its developers or anyone who can fix it. Until the vulnerability is addressed, threat actors can exploit it.

Lyons reports that the intrusions, observed through Amazon’s MadPot honeypot, involved attempts to break into vulnerable Citrix NetScaler ADC and Gateway devices before the relevant flaw became public.

Amazon’s subsequent investigation connected the same activity to a previously unknown Cisco Identity Services Engine (ISE) vulnerability. It revealed a coordinated campaign using tools made specifically for the purpose across multiple enterprise platforms.

Citrix’s CVE-2025-5777 issue is an out-of-bounds read flaw affecting NetScaler Gateway and AAA virtual servers, allowing memory disclosure. Researchers referred to it as CitrixBleed 2 due to its resemblance to an earlier vulnerability associated with espionage and ransomware activity.

Citrix released a fix on June 17, and by July, government agencies and private researchers reported active zero-day exploitation involving session hijacking.

Amazon then identified an anomalous payload targeting an undocumented Cisco ISE endpoint that relied on insecure deserialization. This separate Cisco flaw, CVE-2025-20337, ultimately received a maximum severity rating because it allowed unauthenticated remote code execution with root privileges.

Amazon stated that exploitation occurred before Cisco assigned the CVE or issued complete patches.

Once inside Cisco ISE, the intruders deployed custom in-memory malware engineered for stealth. The backdoor used Java reflection to inject into running threads, monitored all HTTP requests, employed DES with non-standard Base64 encoding, and required specific headers for access.

According to Amazon, the attacker’s possession of both zero-days indicated significant resources or access to non-public vulnerability information.

For lawyers, this clearly indicates increasing litigation and regulatory exposure for organizations that delay patching or are unable to monitor for sophisticated exploitation. It also points to evolving expectations around vendor disclosure practices, reasonable cybersecurity controls, and incident response readiness when attackers weaponize vulnerabilities before fixes are fully available.