By Matt Kapko
Publication Date: 2025-11-12 18:27:00
Amazon’s threat intelligence team said it observed an advanced persistent threat group exploiting zero-day vulnerabilities affecting Cisco Identity Service Engine and Citrix NetScaler products before the vendors disclosed and patched the defects last summer.
Amazon’s MadPot honeypot service detected active exploitation of the critical defects — CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco — and through further investigation determined a highly resourced threat actor was behind the attacks, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Wednesday.
“We assess with high confidence it was the same threat actor observed exploiting both vulnerabilities,” Moses told CyberScoop in an email.
Amazon said its discovery reinforced multiple trends afoot, including threat groups’ increased focus on identity and network edge infrastructure and their ability to quickly weaponize vulnerabilities as zero-days…
