By Ashish Khaitan
Publication Date: 2025-11-13 08:08:00
Amazon’s threat intelligence division has revealed a cyber-espionage campaign involving an advanced persistent threat (APT) group exploiting previously undisclosed zero-day vulnerabilities in systems from Cisco and Citrix. The investigation showed that the attackers specifically targeted critical identity and network access control infrastructure; components of enterprises rely on managing authentication and enforcing security policies across their networks.
The initial discovery came from Amazon’s MadPot honeypot service, which detected exploitation attempts of the Citrix “Bleed Two” vulnerability, now tracked as CVE-2025-5777, before it had been made public. This early detection confirmed that the APT had been using the flaw as a zero-day vulnerability.
Further analysis linked the same threat actor to another zero-day vulnerability within Cisco Identity Service Engine (ISE). Amazon shared details of a suspicious payload with Cisco, which led to the…