By Dataconomy
Publication Date: 2025-11-13 12:41:00
Threat actors utilized a maximum-severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware.
Amazon’s threat intelligence team identified an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments. This allowed pre-authentication remote code execution on compromised endpoints, providing administrator-level access. The bug, tracked as CVE-2025-20337, has a severity score of 10/10 (critical).
Researchers discovered this intrusion while investigating a Citrix Bleed Two vulnerability, also exploited as a zero-day. According to the NVD page, “A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root.” The advisory states, “The attacker does not require any valid credentials to exploit this vulnerability,” indicating exploits occur by submitting a…