- CVE-2025-20337 enables unauthenticated remote code execution in Cisco ISE systems
- Attackers deployed custom in-memory web shells with advanced evasion and encryption techniques
- Exploits were widespread and indiscriminate, with no specific industry or actor attribution
“Sophisticated” threat actors have been using a maximum-severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts have claimed.
Amazon's threat intelligence team said it recently stumbled upon an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments, achieving pre-authentication remote code execution on compromised endpoints and providing administrator-level access to the systems.
The researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability which was also being exploited as a zero-day. The newly found bug is now tracked as CVE-2025-20337 and has been assigned a severity score of 10/10 (critical).
Hiding malware in custom fonts
“A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root,” the NVD page explains.
“The attacker does not require any valid credentials to exploit this vulnerability,” the advisory added, stressing that an attacker could exploit it by submitting a crafted API request.
The vulnerability was used to deploy a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction, Amazon further explained, noting the malware wasn’t typical, or off-the-shelf, but rather custom-built and designed specifically for Cisco ISE environments.
The web shell came with advanced evasion capabilities, including operating entirely in-memory, using Java reflection to inject itself into running threads, and registering as a listener to monitor all HTTP requests across the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding, and required knowledge of specific HTTP headers to access.
Amazon did not attribute the attacks to any particular threat actor, and said that the attacks were not targeted at any specific industry or organization. Instead, it was used indiscriminately and against as many organizations as possible.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
