Active Campaign Exploits Cisco and Citrix 0-Day Vulnerabilities to Implement Persistent Webshells

In today’s rapidly evolving cyber landscape, the emergence of advanced threat actors wielding zero-day vulnerabilities has become a pressing concern for enterprises worldwide. These actors are not just opportunistic hackers; they are highly organized, well-resourced, and possess a sophisticated understanding of enterprise environments. Recently, Amazon’s threat intelligence team reported alarming findings: these actors are actively exploiting previously undisclosed zero-day vulnerabilities in critical enterprise systems, and they are deploying custom webshells to maintain administrative access across compromised networks.

The campaign came into focus with the targeting of Cisco’s Identity Service Engine (ISE) and Citrix systems. This revelation shines a light on the tactics of a sophisticated adversary that exhibits not only depth of technical knowledge but also an alarming capability to disrupt essential business operations. Amazon’s discovery was first flagged through their MadPot honeypot service, which identified exploitation attempts against the Citrix Bleed Two vulnerability prior to its public disclosure, a testament to how quickly such vulnerabilities can become weapons in the hands of malicious actors.

Building on these findings, Amazon Threat Intelligence unearthed a companion zero-day vulnerability impacting Cisco ISE. This exploit takes advantage of a deserialization vulnerability on an undocumented endpoint, enabling pre-authentication remote code execution. The critical status of CVE-2025-20337 is significant; it allows attackers to gain administrator-level access without requiring valid credentials, a nightmarish scenario for any enterprise.

The evidence of simultaneous exploitation of these vulnerabilities suggests a troubling trend: sophisticated threat actors are indiscriminately targeting internet-exposed systems, casting a wide net across critical infrastructure. This raises essential questions about how well organizations are prepared to defend against such attacks and whether they have the necessary resources to stay ahead of advanced threat actors.

Custom Webshell Evasion and Persistence Techniques

Following the successful exploitation of these vulnerabilities, attackers deployed a highly specialized webshell that masqueraded as a legitimate Cisco ISE component known as IdentityAuditAction. This custom-built backdoor is remarkable not only for its technical sophistication but also for its operational design, tailored specifically to blend into Cisco ISE environments. By employing advanced evasion techniques, the webshell was capable of bypassing traditional security detection mechanisms, marking a new level of complexity in cyber threats.

One of the standout features of this webshell is its operational model: it runs entirely in memory, which minimizes forensic traces and alerts to security teams. This stealthy approach allows attackers to maintain a low profile while executing their objectives. Furthermore, the attackers utilized Java reflection to inject their code into existing application threads, registering themselves as an HTTP request listener on the Tomcat server, thereby gaining more control over the targeted environment.

In a bid to further camouflage their activities, the threat actors implemented non-standard DES encryption alongside custom Base64 encoding. These measures are specifically designed to thwart detection systems, making their operations even harder to identify and trace. Accessing this webshell necessitated knowledge of specific HTTP headers and an additional authentication layer, reinforcing the notion that this is not simply the work of amateur hackers but rather an intricate operation indicative of nation-state actors or highly skilled cybercriminal organizations.

The attackers’ custom tooling points to an impressive proficiency in enterprise Java applications, deep knowledge of Tomcat internals, and a strong understanding of Cisco ISE architecture. Such expertise is not commonly found in publicly available documentation, suggesting that these adversaries might have insider information or access to non-public vulnerability details.

Organizations must take serious note of the implications: identity management systems and remote access infrastructures are prime targets for such advanced threat actors. In response, security teams should urgently implement defense-in-depth strategies coupled with robust anomaly detection capabilities. This layered approach will help detect unusual behaviors that signal a breach or an attempted exploit.

Moreover, organizations should consider implementing firewall-based access restrictions to privileged security appliance endpoints and management portals. By doing so, they can significantly limit exposure to these potentially devastating pre-authentication exploits, thus fortifying their defenses against a growing number of sophisticated cyber threats.