Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Active Exploitation of Cisco ISE & Citrix NetScaler Zero-Days by an Advanced Threat Actor

Published on: November 14, 2025

Share:
Active Exploitation of Cisco ISE & Citrix NetScaler Zero-Days by an Advanced Threat Actor

Overview:
Amazons threat intelligence team has observed an advanced persistent threat (APT) actor actively exploiting previously undisclosed zero-day vulnerabilities in:

  • Cisco Identity Services Engine (ISE / ISE-PIC) (unauthenticated remote code execution) 
  • Citrix NetScaler ADC / NetScaler Gateway (memory over-read / CitrixBleed 2 family)

The AWS investigation (MadPot honeypots and telemetry) shows the actor used these zero-days to deploy custom malware, escalate privileges, and obtain access to sensitive data or sessions prior to public disclosure and patching. These are targeted, high-risk operations focused on appliances that mediate authentication, VPNs and application access.

Who It Impacts:

  • Organisations running Cisco ISE or ISE-PIC (network access control, authentication/authorization infrastructure).
    • Organisations running Citrix NetScaler ADC / Gateway (VPN/gateway/ICA proxy functions or AAA virtual servers).
      • Particularly exposed: internet-facing management/API endpoints, remote access gateways, and appliances used for authentication or segmentation control. If these appliances are reachable from untrusted networks or host critical authentication flows, they are high priority.

How It Impacts:
1. Cisco ISE / ISE-PIC – CVE-2025-20337 (Confirmed, Actively Exploited)

  • Vulnerability Type: Unauthenticated Remote Code Execution (RCE)
  • Impact: Allows attackers to run commands as root, take full control of the appliance, steal credentials, move laterally, and weaken network access controls.
  • Status: Cisco has confirmed exploitation in the wild and released security updates.
    2. Citrix NetScaler ADC / Gateway – CVE-2025-7775 (Confirmed, Actively Exploited)
  • Vulnerability Type: Unauthenticated Remote Code Execution (RCE) via memory overflow / buffer corruption. 
  • Impact: Attackers can run arbitrary code or cause denial-of-service on NetScaler appliances configured as Gateway/AAA or related virtual servers. This can lead to full appliance compromise, session hijacking, credential theft and further network access control bypass.
  • Status: Citrix has confirmed that exploitation of CVE-2025-7775 has been observed in the wild.

CVE Details:

NameCVESeverityCVSS
Citrix NetScaler DevicesCVE-2025-5777Critical9.3
Citrix NetScaler DevicesCVE-2025-6543Critical9.2
Cisco ISE/ISE-PICCVE-2025-20281Critical10
Cisco ISE/ISE-PICCVE-2025-20282Critical10
Cisco ISE/ISE-PICCVE-2025-20337Critical10

Vulnerability Summary:

CVE IDAffected VersionsPatched VersionsDescription
CVE-2025-20281ISE/ISE-PIC 3.3, 3.43.3 Patch 7, 3.4 Patch 2API unauthenticated remote code execution via insufficient input validation
CVE-2025-20282ISE/ISE-PIC 3.4 only3.4 Patch 2File upload vulnerability allowing arbitrary file execution with root privileges
CVE-2025-20337ISE/ISE-PIC 3.3, 3.43.3 Patch 7, 3.4 Patch 2API unauthenticated remote code execution via insufficient input validation
CVE-2025-5777 ADC/Gateway 14.1 prior to 14.1-43.56 - ADC/Gateway 13.1 prior to 13.1-58.32 - 13.1-FIPS / NDcPP builds prior to 13.1-37.235 - 12.1-FIPS releases (also vulnerable in hybrid deployments)- 14.1-43.56 and later - 13.1-58.32 and later - 13.1-37.235 (FIPS/NDcPP) and laterMemory over-read vulnerability (“CitrixBleed 2”), may lead to sensitive data exposure including session tokens, enabling session hijacking and unauthorized access.
CVE-2025-6543- ADC/Gateway 14.1 prior to 14.1-47.46 - ADC/Gateway 13.1 prior to 13.1-59.19 - 13.1-FIPS / NDcPP builds prior to 13.1-37.236 - 12.1-FIPS (vulnerable in hybrid deployments)- 14.1-47.46 and later - 13.1-59.19 and later - 13.1-37.236 (FIPS/NDcPP) and laterMemory overflow / corruption issue that may allow denial-of-service, appliance crash, or possible code execution depending on configuration.

Recommendations:

Patch Immediately:

  • Apply Cisco’s fixed releases as per Cisco advisory. If you cannot patch immediately, isolate the appliance from untrusted networks and restrict API/management access.
  • Apply Citrix fixes for provided CVEs and other NetScaler advisories. If patching is delayed, apply vendor mitigation guidance and remove internet exposure for Gateway/AAA endpoints where possible.
  • Reduce Exposure:
    • Block management and API access from the internet. Place appliances behind management VPNs or jump hosts, restrict management to specific IPs, and enforce strong ACLs and network segmentation.
    • For NetScaler acting as Gateway/AAA, evaluate if services can be fronted by additional WAF / reverse proxy / network filter.

Reference Links:

https://cybersecuritynews.com/cisco-and-citrix-0-days-exploited/

https://cybersecuritynews.com/citrix-netscaler-devices-vulnerable/

https://cybersecuritynews.com/cisco-ise-rce-vulnerability-exploited-in-wild/

https://nvd.nist.gov/vuln/detail/CVE-2025-5777

https://nvd.nist.gov/vuln/detail/CVE-2025-6543

https://nvd.nist.gov/vuln/detail/CVE-2025-20281

https://nvd.nist.gov/vuln/detail/CVE-2025-20282

https://nvd.nist.gov/vuln/detail/CVE-2025-20337


 

← Back to all bulletins