Active Campaign Uses Cisco and Citrix 0-Days to Deploy Persistent Webshells

vm_admin
Active Campaign Uses Cisco and Citrix 0-Days to Deploy Persistent Webshells

By AnuPriya
Publication Date: 2025-11-13 06:56:00

Advanced threat actors are actively exploiting previously undisclosed zero-day vulnerabilities in critical enterprise systems, deploying custom webshells to establish administrative access across compromised networks.

Amazon’s threat intelligence team has uncovered a coordinated cyber campaign targeting Cisco Identity Service Engine (ISE) and Citrix systems, revealing the tactics of a highly sophisticated adversary with deep expertise in enterprise environments.

The threat was initially detected through Amazon’s MadPot honeypot service, which identified exploitation attempts against the Citrix Bleed Two vulnerability before public disclosure.

This early discovery demonstrated that threat actors had already weaponized the vulnerability in active attacks.

During their investigation, Amazon Threat Intelligence discovered a companion zero-day affecting Cisco ISE, exploiting a deserialization vulnerability on an undocumented endpoint to achieve pre-authentication…

Related Posts

Attacks involving critical Citrix NetScaler bug underway
Attacks involving critical Citrix NetScaler bug underway

Attacks involving critical Citrix NetScaler bug underway  SC Media Article Source https://www.scworld.com/brief/attacks-involving-critical-citrix-netscaler-bug-underway Facebook Twitter Pinterest LinkedIn Digg Tumblr Reddit Buffer Blogger…