Unmasking Advanced Threats: Amazon’s Discovery of Exploited Zero-Day Vulnerabilities
In a striking revelation, Amazon’s threat intelligence team announced that they observed an advanced persistent threat (APT) group adeptly exploiting zero-day vulnerabilities linked to Cisco Identity Service Engine (ISE) and Citrix NetScaler products. These vulnerabilities had gone undetected until the vendors disclosed and subsequently patched them in the summer of 2025.
Identifying the Threats
The vulnerabilities in question, CVE-2025-5777 for Citrix and CVE-2025-20337 for Cisco, were discovered by Amazon’s MadPot honeypot service. This system detected the active exploitation of these critical defects, indicating a high level of sophistication on the attackers’ part. CJ Moses, Amazon’s Chief Information Security Officer, emphasized the substantial resources and expertise of the threat actor involved, drawing from detailed analysis and investigation.
Persistence and Evasion Techniques
According to Moses, Amazon’s assessment points firmly towards the same threat actor being responsible for both vulnerabilities. This indicates a concerning trend: threat actors are increasingly focusing their efforts on critical identity and network edge infrastructure. The speed at which these groups can weaponize vulnerabilities before vendors manage to disclose and patch them is alarming, as the landscape of cyber threats grows more complex and sophisticated.
The origin and identity of this particular threat group remain shrouded in mystery. However, Moses suggested that the primary motive behind these attacks is likely prolonged access to targets for espionage purposes. This possibility underscores the significance of understanding the attackers’ intentions and capabilities.
The Arsenal of Custom Malware
Amazon’s threat researchers revealed that the attackers employed custom malware featuring a backdoor specifically engineered for Cisco ISE environments. This malware exhibited advanced evasion techniques, showcasing the attackers’ profound understanding of enterprise Java applications and the internal workings of Tomcat—as well as the architectural nuances of Cisco ISE. Such technical expertise implies a methodical and well-planned approach to cyber attacks.
Timeline of Exploitation
The timeline surrounding these attacks further highlights the urgency of the threat. Cisco disclosed CVE-2025-20337 on June 25, but Amazon’s investigations revealed that exploitation had already been occurring as early as May. By early July, Amazon had identified pre-disclosure exploits and traced back the attacks, tracking the malicious activity straight to the earlier months of May and June. This proactive disclosure allowed Cisco to quickly inform its customers about the emerging issue.
For Citrix, CVE-2025-5777, also labeled as CitrixBleed 2 due to its similarities with a previously known defect, was disclosed on June 17. The Cybersecurity and Infrastructure Security Agency (CISA) promptly added the exploit to its catalog of known exploited vulnerabilities by July 10. By mid-July, researchers had recorded a staggering 11.5 million attack attempts, targeting various organizations since the vulnerabilities were revealed.
Ongoing Investigations
Despite the potential scale of the impacts, Amazon has been relatively reserved about the extent of the exploitation. While the CISO declined to share the specifics of the organizations affected, the urgency of these breaches highlights the pressing need for organizations to stay vigilant.
Moses noted that the use of multiple zero-day exploits by the threat group signifies their advanced capabilities in vulnerability research or access to undisclosed vulnerabilities. This fact reinforces the notion that attackers are becoming increasingly adept at navigating the evolving landscape of cyber threats, making it imperative for organizations to bolster their defenses.
Reflections on Cybersecurity Trends
Amazon’s revelation emphasizes several crucial trends: the growing focus by threat actors on identity and network infrastructure, the rapid weaponization of vulnerabilities, and the importance of sharing intelligence to protect against such advanced threats. As organizations continue to face these challenges, the cybersecurity community must remain ever-vigilant in preventing similar breaches and protecting sensitive information across the digital landscape.
Through this detailed approach, it becomes clear that understanding the nuances of cybersecurity threats is essential for building robust defense mechanisms to combat the ever-evolving landscape of cybercrime.
