Amazon’s research team discovered two security issues that were actively exploited as zero-days.
An advanced hacker group exploited two serious vulnerabilities before security updates were available. These are Citrix Bleed 2 (CVE-2025-5777) and Cisco ISE (CVE-2025-20337). According to Amazon Threat Intelligence, the vulnerabilities were already being used while Citrix and Cisco were still conducting their investigations.
Discovered via Amazon ‘Honeypots’
Amazon discovered the exploitation through its MadPot honeypot network, which is designed to attract attackers to learn about their methods. The attackers used the Citrix flaw to gain access to systems and exploited a second vulnerability in Cisco to install a hidden web tool that allowed them to intercept traffic and steal data.
“Our honeypots saw the exploits before the public announcement,” Amazon told BleepingComputer. “This proves that the attackers were already using the vulnerability as a zero-day.” They used custom malware that posed as an official component of Cisco ISE and therefore left almost no traces.
What Companies Need to Do Now
Both Citrix and Cisco have since released security updates. Companies are strongly advised to install these as soon as possible, and to better protect access to network equipment through firewalls and stricter access rules.