Amazon’s threat intelligence team recently announced one of the largest security breaches to date. This breach is one of the first to utilize a zero-day vulnerability known as CVE-2025-5777, or Citrix Bleed 2. This vulnerability was assigned a critical CVSS score of 9.3. It has wide-ranging impact on Citrix NetScaler ADC and Gateway systems. It represents a critical danger to organizations that depend on these technologies. Attackers used this vulnerability along with another zero-day security vulnerability found in Cisco Identity Service Engine (ISE). This allowed them to steal authentication tokens, among other things.
These attacks were detected by Amazon’s MadPot honeypot network, which is used to identify and study emerging damaging activity. The sophisticated threat actor leveraged vulnerabilities to deploy custom malware. This demonstrates an alarming trend in cyberattacks that directly targets key infrastructures of identity and network access control.
Details of the Vulnerability
CVE-2025-5777 demonstrates a serious vulnerability caused by a lack of input validation. Malicious actors could use this vulnerability to get access to systems they’re not authorized to access. This defect has dire consequences. This powerful capability allows attackers to circumvent time-tested authentication standards, exposing confidential information and putting the very backbone of the network at risk.
CJ Moses, CISO at Amazon Integrated Security, echoed the importance of this finding. He stated,
“This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks.”
The exploit is extremely concerning, as it can execute prior to authentication. This results in the unfortunate circumstance that even the most robustly configured and maintained systems may still be susceptible to these types of actions. It was this trait that emphasized for Moses the ongoing risk and fragility that organizations are experiencing in a very real way.
The Attack Mechanism
Exploitation of CVE-2025-5777 wasn’t business as usual, but it wasn’t a normal attack either. These adversaries relied on a custom-built backdoor specifically designed for Cisco ISE environments. As with most of the web shells we examine, this shell operates entirely in memory. It uses Java reflection to inject itself into active threads on the affected systems. This complex, multi-tiered approach provides the attacker broad control of the environment while remaining undetected by standard security tools and measures.
Moses further elaborated on the nature of the malware used in this attack:
“This wasn’t typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments.”
The primary concern of cybersecurity teams is tailored malware. It is carefully crafted to avoid traditional detection efforts and exploit known, specific weaknesses in systems.
Implications for Enterprises
The exploitation of CVE-2025-5777 and its correlation with another zero-day vulnerability in Cisco ISE is a cause for concern for organizations around the world. Only then can security teams put the priority required on such vulnerabilities to remediate them and protect their infrastructures from highly skilled adversaries.
As cyber threats are ever changing, organizations must be equally resilient and proactive. Routine maintenance, frequent system audits, and ongoing employee education on identifying possible threats can greatly limit the chance of being compromised.