An advanced hacking group has been exploiting zero-day vulnerabilities in Cisco Identity Services Engine and Citrix systems. One vulnerability, known as ‘Citrix Bleed Two’ (CVE-2025-5777), allows attackers to execute code remotely. Meanwhile, a similar zero-day in Cisco ISE, designated CVE-2025-20337, facilitates admin control through faulty data handling.
The attack took place before public knowledge of the vulnerabilities, highlighting a proactive approach by the hackers. They crafted a custom webshell, named ‘IdentityAuditAction,’ which operates in memory to evade detection. The webshell employs sophisticated techniques to manipulate and encrypt commands while monitoring incoming traffic. This incident emphasizes the need for robust security measures against pre-login exploits.
Amazon’s analysis reveals a systemic approach by attackers targeting critical identity management systems, indicating that even sophisticated defenses may be vulnerable. Security professionals are advised to strengthen their defenses by utilizing layered approaches and maintaining vigilant monitoring against unusual behaviors. This situation serves as a reminder for organizations to stay alert in an evolving threat landscape.
👉 Pročitaj original: Cyber Security News
