Cisco ISE Vulnerability Exploited as 0day by APT (Campaign)

Amazon researchers observed an APT actively exploiting zero-day vulnerabilities in Citrix (CVE-2025-5777) and an undocumented Cisco ISE endpoint (CVE-2025-20337) to obtain pre-auth RCE and full administrative control. Attackers deployed a custom in-memory Java web shell disguised as IdentityAuditAction that intercepts HTTP requests and encrypts communications; no IOCs were published.