- CVE-2025-20337 allows unauthenticated remote code execution on Cisco ISE systems
- Attackers implemented custom in-memory web shells with advanced evasion and encryption techniques
- The exploits were widespread and indiscriminate, with no specific attribution to one industry or actor
“Sophisticated” threat actors have been using a maximum severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts said.
Amazon’s threat intelligence team said it recently encountered insufficient user-provided input vulnerability validation in Cisco ISE deployments, achieving remote execution of pre-authentication code on compromised endpoints and providing administrator-level access to the systems.
The researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability that was also being exploited as a zero-day vulnerability. The newly found bug is now tracked as CVE-2025-20337 and has been assigned a severity score of 10/10 (critical).
Hide malware in custom fonts
“A vulnerability in a specific Cisco ISE and Cisco ISE-PIC API could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root,” the NVD page explains.
“The attacker does not require any valid credentials to exploit this vulnerability,” the advisory adds, emphasizing that an attacker could exploit it by sending a crafted API request.
The vulnerability was used to implement a custom web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction, Amazon explained in more detail, noting that the malware was not typical or commercially available, but was customized and designed specifically for Cisco ISE environments.
The web shell came with advanced evasion capabilities, including fully in-memory operation, using Java reflection to inject itself into running threads, and registering as a listener to monitor all HTTP requests on the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding and required knowledge of specific HTTP headers to access.
Amazon did not attribute the attacks to any particular threat actor and said they were not targeted at any specific industry or organization. Instead, it was used indiscriminately and against as many organizations as possible.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
