CitrixBleed 2 and Cisco Zero-Day Exploits Hit Organizations Before Patches Released

APT group exploits Citrix and Cisco zero-days before patches, highlighting risks in identity management systems. Learn how to protect your edge devices.

By Content Team

Nov 13, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Amazon's threat intelligence team discovered that sophisticated attackers exploited two critical vulnerabilities as zero-days before vendors issued patches. The unnamed advanced persistent threat (APT) group targeted CitrixBleed 2 (CVE-2025-5777) in Citrix NetScaler systems and a maximum-severity bug (CVE-2025-20337) in Cisco Identity Service Engine for a month before disclosure.

The CitrixBleed 2 flaw allows attackers to hijack admin sessions and join any NetScaler session, while the Cisco vulnerability enables remote code execution as root. Amazon observed the same attackers hitting both systems simultaneously, deploying custom web shells designed to remain hidden in memory.

This "patch-gap" exploitation technique highlights how advanced threat actors target identity and access management infrastructure. Organizations should assume edge devices are vulnerable, implement blast radius reduction, and shift from patch-centric to exposure-centric security approaches.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Aflac Data Breach Affects 22.65 Million People

Jan 2, 2026

German Police Rush to Warn Companies About Critical PTC Software Vulnerability

Mar 29, 2026

Madison Square Garden Confirms Data Breach After Ransomware Attack

Mar 3, 2026

Critical SmarterMail Vulnerability Allows Remote Code Execution

Dec 30, 2025