By Sead Fadilpašić
Publication Date: 2025-11-13 12:03:00
- CVE-2025-20337 enables unauthenticated remote code execution in Cisco ISE systems
- Attackers deployed custom in-memory web shells with advanced evasion and encryption techniques
- Exploits were widespread and indiscriminate, with no specific industry or actor attribution
“Sophisticated” threat actors have been using a maximum-severity zero-day vulnerability in Cisco Identity Service Engine (ISE) and Citrix systems to deploy custom backdoor malware, experts have claimed.
Amazon‘s threat intelligence team said it recently stumbled upon an insufficient validation of user-supplied input vulnerability in Cisco ISE deployments, achieving pre-authentication remote code execution on compromised endpoints and providing administrator-level access to the systems.
The researchers discovered the intrusion while investigating a Citrix Bleed Two vulnerability which was also being exploited as a zero-day. The newly found bug is now tracked as CVE-2025-20337 and has been assigned a severity score of…