- CVE-2025-20337 allows unauthorized remote code execution in Cisco ISE systems
- Attackers implemented in-memory custom web shells with advanced evasion and encryption techniques
- Exploitation was widespread and indiscriminate with no specific industry or actor attribution
“Sophisticated” threat actors have used a maximum severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts have claimed.
Amazon’s threat intelligence team said it recently stumbled upon an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments, which achieved pre-authentication, remote code execution on compromised endpoints and provided administrator-level access to the systems.
The researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability, which was also exploited as a zero-day. The newly discovered bug is now tracked as CVE-2025-20337 and has been assigned a severity score of 10/10 (Critical).
Hide malware in custom fonts
“A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthorized remote attacker to execute arbitrary code on the underlying operating system as root,” the NVD site explains.
“The attacker does not require any valid credentials to exploit this vulnerability,” the advisory added, stressing that an attacker could exploit it by submitting a crafted API request.
The vulnerability was used to deploy a custom web shell masquerading as a legitimate Cisco ISE component named IdentityAuditAction, Amazon further explained, noting that the malware was not typical or off-the-shelf, but rather custom-built and designed specifically for Cisco ISE environments.
The web shell came with advanced evasion features, including operating entirely in memory, using Java reflection to inject itself into running threads, and registering as a listener to monitor all HTTP requests across the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding and required knowledge of specific HTTP headers to access.
Amazon did not attribute the attacks to any specific threat actor and said the attacks did not target any specific industry or organization. Instead, it was used indiscriminately and against as many organizations as possible.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
