Cisco ISE and Citrix NetScaler ADC zero-day malware delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A zero-day exploitation campaign against Cisco ISE and Citrix NetScaler ADC is delivering custom malware into enterprise identity and network access control infrastructure. The operation used CVE-2025-5777 and CVE-2025-20337 to reach exposed appliances and then plant a disguised IdentityAuditAction web shell. The broad, indiscriminate targeting raises the risk of unauthorized access across enterprise networks.
Related Happenings
Citrix security patch release for CVE-2026-13474
Security Patch Release
H score35
First: 01.07.2026 06:54
Last: 01.07.2026 06:54
Sources 1
About this happening:
**Citrix** released security updates for **NetScaler ADC** and **NetScaler Gateway** to fix **six vulnerabilities** that could enable **arbitrary file reads** or **denial of servi...
Citrix security patch release for CVE-2026-13474
Security Patch ReleaseAbout this happening: **Citrix** released security updates for **NetScaler ADC** and **NetScaler Gateway** to fix **six vulnerabilities** that could enable **arbitrary file reads** or **denial of servi...
NetScaler ADC/Gateway arbitrary file read security flaw (CVE-2026-10816)
Vulnerability
H score30
First: 01.07.2026 06:54
Last: 01.07.2026 06:54
Sources 1
About this happening:
Citrix's **NetScaler ADC** and **NetScaler Gateway** now have **CVE-2026-10816**, a **7.7** flaw that can expose files through **unauthenticated arbitrary file read** when managem...
NetScaler ADC/Gateway arbitrary file read security flaw (CVE-2026-10816)
VulnerabilityAbout this happening: Citrix's **NetScaler ADC** and **NetScaler Gateway** now have **CVE-2026-10816**, a **7.7** flaw that can expose files through **unauthenticated arbitrary file read** when managem...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Citrix security patch release for CVE-2026-3055
Security Patch Release
H score44
First: 24.03.2026 07:59
Last: 24.03.2026 07:59
Sources 1
About this happening:
Citrix's **NetScaler ADC** and **NetScaler Gateway** updates close **CVE-2026-3055** and **CVE-2026-4368**, including a flaw that could leak sensitive memory from configured appli...
Citrix security patch release for CVE-2026-3055
Security Patch ReleaseAbout this happening: Citrix's **NetScaler ADC** and **NetScaler Gateway** updates close **CVE-2026-3055** and **CVE-2026-4368**, including a flaw that could leak sensitive memory from configured appli...
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
Campaign
H score29
First: 03.02.2026 22:25
Last: 03.02.2026 22:25
Sources 1
About this happening:
A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
Citrix NetScaler reconnaissance scanning and version-enumeration campaign
CampaignAbout this happening: A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...
Timeline
-
12.11.2025 16:00 2 articles · 7mo ago
Amazon discloses zero-day exploitation of Cisco ISE and Citrix NetScaler
Initial DisclosureAmazon's threat intelligence team disclosed that an advanced threat actor targeted Cisco Identity Service Engine (ISE), Cisco ISE Passive Identity Connector (ISE-PIC), and Citrix NetScaler ADC/Gateway by exploiting CVE-2025-5777 and CVE-2025-20337 as zero-days to deliver custom malware, including a web shell disguised as IdentityAuditAction, after detections from the MadPot honeypot network.
Show sources
- Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws — thehackernews.com — 12.11.2025 16:00
- Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws — thehackernews.com — 12.11.2025 16:00