- CVE-2025-20337 Allows Unauthenticated Remote Code Execution in Cisco ISE Systems
- The attackers deployed custom in-memory web shells with advanced evasion and encryption techniques.
- The exploits were widespread and indiscriminate, with no specific attribution to any industry or actor.
“Sophisticated” threat actors used a maximum severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts claimed.
Amazon’s threat intelligence team said it recently discovered insufficient validation of the user-provided input vulnerability in Cisco ISE deployments, allowing pre-authentication remote code execution on compromised endpoints and providing administrator-level access to systems.
Researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability that was also exploited as a zero-day. The newly discovered bug is now tracked as CVE-2025-20337 and has been assigned a severity score of 10/10 (critical).
Hide malware in custom fonts
“A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root,” the NVD page explains.
“The attacker does not require any valid credentials to exploit this vulnerability,” the advisory adds, noting that an attacker could exploit it by submitting a crafted API request.
The vulnerability was used to deploy a custom web shell disguised as a legitimate Cisco ISE component named IdentityAuditAction, Amazon explained, noting that the malware was not typical, nor commercially available, but rather customized and designed specifically for Cisco ISE environments.
The web shell had advanced evasion features, including operating entirely in memory, using Java reflection to inject itself into running threads, and registering as a listener to monitor all HTTP requests to the Tomcat server. It also implemented DES encryption with non-standard Base64 encoding and required knowledge of specific HTTP headers to access.
Amazon did not attribute the attacks to any specific threat actor and said the attacks did not target any specific industry or organization. Instead, it was used indiscriminately and against as many organizations as possible.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
