CitrixBleed 2 Zero-Day Exploited Weeks Before Public Disclosure in Advanced Campaign

The cybersecurity landscape in late 2025 was shaken by revelations that an advanced persistent threat actor exploited critical zero-day vulnerabilities in Citrix NetScaler and Cisco ISE products well before patches or public advisories were released. The attacks, uncovered by Amazon’s MadPot honeypot intelligence network, demonstrate the growing sophistication of state-level threat actors and the widening gap between exploitation and detection in enterprise security infrastructure.

The Exploit Mechanics

At the center of this campaign sat CVE-2025-5777, dubbed “CitrixBleed 2,” an out-of-bounds memory read vulnerability affecting NetScaler ADC and NetScaler Gateway products. The flaw allowed attackers to exfiltrate up to 127 bytes of sensitive data per request, potentially exposing session tokens, authentication cookies, and user credentials through memory disclosure. Unlike typical buffer overflows, this vulnerability exploited the way NetScaler handled memory allocation during session validation, leaking fragments of adjacent memory that often contained active session identifiers.

The attackers chained CitrixBleed 2 with CVE-2025-20337, a maximum-severity flaw in Cisco Identity Services Engine (ISE) that enabled pre-authentication remote code execution with root privileges. By combining both vulnerabilities, the threat actor gained persistent access to critical network infrastructure, deploying a custom web shell named “IdentityAuditAction” that masqueraded as a legitimate ISE component. The web shell registered as an HTTP listener to intercept all incoming requests and used Java reflection to inject into Tomcat server threads, employing DES encryption with non-standard Base64 encoding to evade detection.

Affected Systems

The scope of affected infrastructure was vast. Citrix NetScaler ADC and Gateway are deployed across tens of thousands of enterprise networks globally, serving as the primary secure access gateway for remote workers. Cisco ISE functions as the central policy enforcement point for network access control in many organizations, meaning compromise of this system effectively grants attackers the keys to the entire network kingdom. Any organization running unpatched versions of these products between June and November 2025 remained at risk.

Amazon’s threat intelligence team confirmed that exploitation attempts were detected before either vendor published security bulletins, indicating a highly resourced threat actor with advance knowledge of these vulnerabilities. The targeting appeared surprisingly indiscriminate, which is unusual for advanced persistent threat operations that typically focus on specific high-value targets. This broad targeting pattern suggests the actor was building infrastructure for future operations rather than pursuing immediate objectives.

The Mitigation Strategy

Citrix released patches for CVE-2025-5777 in late June 2025, though the company took considerable time to confirm active exploitation despite multiple third-party reports. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 11, 2025, requiring federal agencies to patch within a single day. Cisco published its advisory for CVE-2025-20337 on July 17, with active exploitation confirmed within five days of the initial disclosure.

Organizations should immediately apply all available security updates for both CVE-2025-5777 and CVE-2025-20337. Beyond patching, network administrators must invalidate all active sessions on NetScaler devices, rotate administrative credentials, and audit ISE deployments for indicators of compromise including the “IdentityAuditAction” web shell. Implementing network segmentation to limit lateral movement from compromised gateway devices provides an essential defense-in-depth measure.

Lessons Learned

This incident exposes several critical failures in the current vulnerability disclosure and response ecosystem. First, the gap between private exploitation and public patching can stretch weeks or months, during which organizations remain unknowingly exposed. Second, edge network devices like VPN gateways and access controllers represent high-value targets that receive insufficient monitoring compared to internal servers. Third, the sophistication of custom malware deployed in these attacks, including deep knowledge of Java and Tomcat internals, indicates that threat actors are investing heavily in understanding the specific technologies they target.

The discovery by Amazon’s MadPot honeypot network also highlights the value of threat intelligence infrastructure that can detect exploitation before vendors acknowledge vulnerabilities. Organizations that rely solely on vendor advisories for threat awareness will always remain behind the curve.

User Action Required

Security teams should conduct immediate audits of all Citrix NetScaler and Cisco ISE deployments. Check for unauthorized web shells, unusual Java processes, and anomalous network traffic patterns. Apply all available patches, reset session tokens, and implement continuous monitoring for these critical infrastructure components. Consider deploying network detection and response solutions that can identify exploitation patterns independent of signature-based detection. The crypto and blockchain space should take particular note, as many exchanges and DeFi platforms rely on similar enterprise infrastructure for their operational security.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific security concerns.