Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

IdentityAuditAction stealth web shell deployment on Cisco ISE

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A custom web shell, IdentityAuditAction, was deployed on Cisco ISE endpoints after exploitation of CVE-2025-20337, creating a stealthy post-exploitation foothold. It posed persistence and evasion risk by masquerading as a legitimate ISE component and intercepting requests as an HTTP listener. The implant also used Java reflection and Tomcat thread injection to reduce detection and complicate forensics.

Related Happenings

Cisco security patch release for CVE-2026-20184

Security Patch Release
First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...

Open Happening

Cisco ISE and ISE-PIC input-validation RCE (CVE-2026-20147)

Vulnerability
First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: Cisco's **CVE-2026-20147** flaw in **Identity Services Engine (ISE)** and **ISE-PIC** can let authenticated admins reach **remote code execution** by sending **crafted HTTP reques...

Open Happening

BPFDoor Linux backdoor with HTTPS-hidden trigger packets

Malware Activity
First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...

Open Happening

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

Timeline

  1. 12.11.2025 16:00 2 articles · 6mo ago

    Amazon identifies IdentityAuditAction web shell on Cisco ISE

    Technical Analysis Update

    Amazon Threat Intelligence linked exploitation of CVE-2025-20337 on Cisco Identity Service Engine (ISE) to a custom web shell named IdentityAuditAction, describing pre-auth admin access, a previously undocumented endpoint that used vulnerable deserialization logic, and post-exploitation behavior disguised as a legitimate ISE component.

    Show sources
    Open in new tab