Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco ISE and Citrix NetScaler ADC zero-day malware delivery campaign

Campaign
First reported
Last updated
Happening score
H score 53
1 unique sources, 1 articles

Summary

Hide ▲

A zero-day exploitation campaign against Cisco ISE and Citrix NetScaler ADC is delivering custom malware into enterprise identity and network access control infrastructure. The operation used CVE-2025-5777 and CVE-2025-20337 to reach exposed appliances and then plant a disguised IdentityAuditAction web shell. The broad, indiscriminate targeting raises the risk of unauthorized access across enterprise networks.

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Citrix security patch release for CVE-2026-3055

Security Patch Release
First: 24.03.2026 07:59 Last: 24.03.2026 07:59 Sources 1

About this happening: Citrix's **NetScaler ADC** and **NetScaler Gateway** updates close **CVE-2026-3055** and **CVE-2026-4368**, including a flaw that could leak sensitive memory from configured appli...

Open Happening

Citrix NetScaler reconnaissance scanning and version-enumeration campaign

Campaign
First: 03.02.2026 22:25 Last: 03.02.2026 22:25 Sources 1

About this happening: A **Citrix NetScaler** reconnaissance campaign used **residential proxies** and **63,189 distinct IPs** between **January 28 and February 2** to map exposed login panels and EPA a...

Open Happening

UAT-9686 Cisco AsyncOS exploitation and persistence campaign

Campaign
First: 17.12.2025 20:45 Last: 17.12.2025 20:45 Sources 1

About this happening: The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persisten...

Open Happening

NetScaler ADC and Gateway / Cisco ISE exploited zero-day flaws (multiple vulnerabilities)

Vulnerability
First: 12.11.2025 16:00 Last: 12.11.2025 16:00 Sources 1

About this happening: **CVE-2025-5777** and **CVE-2025-20337** were exploited as **zero-days** against **NetScaler ADC and Gateway** and **Cisco ISE**, creating pre-disclosure compromise risk before fi...

Open Happening

Timeline

  1. 12.11.2025 16:00 2 articles · 6mo ago

    Amazon discloses zero-day exploitation of Cisco ISE and Citrix NetScaler

    Initial Disclosure

    Amazon's threat intelligence team disclosed that an advanced threat actor targeted Cisco Identity Service Engine (ISE), Cisco ISE Passive Identity Connector (ISE-PIC), and Citrix NetScaler ADC/Gateway by exploiting CVE-2025-5777 and CVE-2025-20337 as zero-days to deliver custom malware, including a web shell disguised as IdentityAuditAction, after detections from the MadPot honeypot network.

    Show sources
    Open in new tab