bleepingcomputer.com
By Bill Toulas
November 12, 2025

An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.

Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.

“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”

Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.

Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.

The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.

In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.

In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.

The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.

The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.

It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.

The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.

Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.

It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.

bitdefender.com 19.08.2025 - A hack of the Netherlands' Public Prosecution Service has had an unusual side effect - causing some speed cameras to be no longer capturing evidence of motorists breaking the rules of the road.
Last month, Dutch media reports confirmed that Openbaar Ministerie (OM), the official body responsible for bringing suspects before the criminal court in the Netherlands, had suffered a security breach by hackers.

The National Cybersecurity Centre (NCSC) and data protection regulators in The Netherlands were informed that a data breach had potentially occurred, and an internal memo from the organisation's director of IT warned of the risks of reconnecting systems to the internet without knowing that the hackers had been expelled from the network.

And it is the disconnection of systems which has left many speed cameras in a non-functioning state - news that will bemuse cybercriminals, delight errant motorists, but is unlikely to be welcomed by those who care about road safety.

Local media reports claim that fixed speed cameras, average speed checks, and portable speed cameras that are usually in one location for about two months before relocation are impacted by the outage - with the only type to escape the problem being those which look out for motorists who are using their mobile phone while driving.

According to evidence seen by journalists, the Public Prosecution Service took itself offline on July 17, following suspicions that hackers had exploited vulnerabilities in Citrix devices to gain unauthorised access.

The organisation's disconnection from the internet left workers still able to email each other internally, but any communications or documents that were needed outside the organisation had to be printed out on paper.

Marthyne Kunst, a member of the crisis team dealing with the hack, told the media that this meant messages were having to be sent by post, lawyers were having to bring paperwork to their cases.

The consequence? Cases may be prevented from going ahead in a timely fashion.

"Unfortunately, it all takes more time," said Kunst.

And as for the speed cameras? Well, apparently it is not possible to reactivate them while the prosecution service's systems are down.

So this isn't a case of police cameras being hacked (although that has happened before), but it is another example of how all manner of connected systems can be impacted in the aftermath of a cyber attack.

The outage of speed cameras in the Netherlands is a timely reminder to us that cyber attacks do not just steal data - they can cause repercussions in sometimes strange and dangerous ways. In this instance, a hack hasn't only slowed down court cases and forced lawyers back to their filing cabinets, it has also blinded cameras designed to keep roads safe.

Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP

NetScaler ADC 12.1-FIPS is not affected by this vulnerability.

Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.

Details
NetScaler ADC and NetScaler Gateway contain the vulnerability mentioned below:

CVE-ID

Description Pre-conditions CWE CVSSv4
CVE-2025-6543

Memory overflow vulnerability leading to unintended control flow and Denial of Service

NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

CVSS v4.0 Base Score: 9.2

(CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)

What Customers Should Do
Exploits of CVE-2025-6543 on unmitigated appliances have been observed.

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support - https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue.

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Exploit attempts for unpatched Citrix vulnerability, Author: Johannes Ullrich

This one is a privesc bug yielding SYSTEM privileges for any VDI user, which is actually a lot worse than it might initially sound since that’s SYSTEM privileges on the server that hosts all the applications and access is ‘by design’ - allowing an attacker to impersonate any user (including administrators) and monitor behaviour, connectivity.

Two bugs in Citrix technology are drawing serious attention this week from the Cybersecurity and Infrastructure Security Agency.

CISA says federal agencies much patch one of the vulnerabilities — tagged as CVE-2023-6548 — by January 24. It’s one of the rare times the cyber agency has put a remediation date of less than three weeks on a vulnerability.

CISA did not respond to requests for comment about why the remediation timeline was shorter than most.

The other bug — listed as CVE-2023-6548 — must be fixed by February 7. CISA’s alerts are aimed at federal agencies but often serve as general warnings for the public.

Several new vulnerabilities with critical severity scores are causing alarm among experts and cyber officials.

Zero-day bugs affecting products from Citrix and Apache have recently been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerability (KEV) list.

Incident responders at the cybersecurity company Rapid7 warned of hackers connected to the HelloKitty ransomware exploiting a vulnerability affecting Apache ActiveMQ, classified as CVE-2023-46604. Apache ActiveMQ is a Java-language open source message broker that facilitates communication between servers.

Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.

It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.

A threat actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.

Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.

An unauthenticated RCE flaw (CVE-2022-27518) is being leveraged by APT5 to compromise Citrix ADC deployments.

Learn about security updates for versions 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway and get fixes for both (security bulletin CTX474995).

At the start of 2022, CrowdStrike Intelligence and CrowdStrike Services investigated an incident in which PROPHET SPIDER exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. The adversary exploited the vulnerability to deploy a webshell that enabled the downloading of additional tools. This incident highlights how PROPHET SPIDER continues to evolve their tradecraft while continuing to exploit known web-server vulnerabilities.