By Erik van Klinken
Publication Date: 2025-11-12 14:43:00
An unidentified hacker group exploited the critical zero-day vulnerabilities CVE-2025-5777 in Citrix NetScaler and CVE-2025-20337 in Cisco Identity Service Engine. Amazon’s threat intelligence team discovered the attacks via their MadPot honeypot before the vulnerabilities became public knowledge.
Amazon’s MadPot honeypot detected exploitation attempts for Citrix Bleed 2 (CVE-2025-5777) before the vulnerability was publicly disclosed. This provided evidence that an attacker was already exploiting the leak. Through further investigation of the same attacker, Amazon also discovered a previously undocumented vulnerability in Cisco ISE, or a zero-day.
Citrix Bleed 2 involves an out-of-bounds memory read issue in NetScaler ADC and Gateway. Citrix published patches at the end of June. Although the vendor needed time to confirm that the vulnerability was being exploited in attacks, exploits appeared as early as the beginning of July. CISA then marked the…
