Hackers Exploit Zero-Day Vulnerabilities in Cisco and Citrix Systems to Deploy Webshells
An advanced hacking group is actively exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix systems, enabling them to deploy custom webshells and gain deep access to corporate networks. These attacks, observed in real-world operations, highlight the critical risks posed to businesses by such sophisticated cyber threats.
Discovery of the Exploits
The attack was uncovered by Amazon’s MadPot honeypot service, a tool designed to attract and study cyber threats. This service detected attempts to exploit a Citrix vulnerability known as Citrix Bleed Two (CVE-2025-5777) before it was publicly disclosed. This zero-day flaw allows attackers to execute code remotely without authentication. Further investigation by Amazon’s security team linked the same hackers to the exploitation of a previously unknown vulnerability in Cisco ISE, now identified as CVE-2025-20337. This vulnerability involves improper deserialization of user input, enabling unauthenticated attackers to execute arbitrary code and gain full administrative control over affected systems.
Timing and Tactics
Notably, these vulnerabilities were being exploited in the wild on live, internet-facing systems before Cisco assigned a CVE number or released patches for all versions of ISE. This patch-gap strategy demonstrates the attackers’ agility in monitoring vendor updates and swiftly exploiting security gaps. Amazon shared details of the Cisco vulnerability with the company, facilitating expedited fixes; however, by that time, the attacks were already underway.
Deployment of Custom Webshells
Once inside the compromised systems, the attackers deployed a custom webshell disguised as a legitimate Cisco component named IdentityAuditAction. Unlike generic malware, this webshell was specifically crafted for Cisco ISE environments. It operates entirely in memory, avoiding the creation of files that could be detected by forensic tools. Utilizing Java reflection techniques, it integrates with the system’s web server (Tomcat) to monitor all incoming traffic. To conceal its commands, the webshell employs DES encryption combined with a modified Base64 encoding scheme and activates upon detecting specific web headers.
Technical Insights
Analysis of the webshell’s code reveals sophisticated methods employed by the attackers. For instance, one routine decodes concealed instructions from web requests, substitutes certain characters (e.g., replacing with a), and uses a secret key (d384922c) to decrypt the payload. This approach allows the attackers to execute arbitrary code without leaving noticeable traces, complicating detection efforts.
Scope and Implications
Amazon’s analysis indicates that the attackers were broadly targeting these exploits across the internet, rather than focusing on specific organizations. Their tools demonstrate deep expertise in Java applications, Tomcat servers, and Cisco’s architecture, suggesting a well-resourced team with access to insider vulnerability information or advanced research capabilities. This aligns with a growing trend of attackers focusing on edge defenses, such as identity management systems and remote gateways that protect entire networks.
Recommendations for Security Professionals
This campaign serves as a critical reminder that even robust systems can be vulnerable to pre-authentication exploits. Amazon advises security teams to implement multiple layers of defense:
– Restrict Access: Use firewalls to limit access to management portals.
– Monitor Traffic: Continuously monitor for unusual web traffic patterns.
– Enhance Detection: Develop detection mechanisms for anomalous behaviors.
– Prompt Patching: Apply security patches promptly.
– Incident Response Planning: Assume potential breaches and have response plans in place.
This incident underscores the necessity for organizations to remain vigilant and proactive in their cybersecurity measures, as attackers continue to evolve their tactics to exploit critical vulnerabilities in essential systems.
