In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The best marketing ideas come from marketers who live it.
That’s what this newsletter delivers.
The Marketing Millennials is a look inside what’s working right now for other marketers. No theory. No fluff. Just real insights and ideas you can actually use—from marketers who’ve been there, done that, and are sharing the playbook.
Every newsletter is written by Daniel Murray, a marketer obsessed with what goes into great marketing. Expect fresh takes, hot topics, and the kind of stuff you’ll want to steal for your next campaign.
Because marketing shouldn’t feel like guesswork. And you shouldn’t have to dig for the good stuff.
Threat Actors Exploit Citrix and Cisco Zero-Day Vulnerabilities Before Patches Released
Amazon’s cybersecurity researchers have revealed that an advanced persistent threat (APT) actor exploited two critical zero-day vulnerabilities—one in Citrix NetScaler and another in Cisco Identity Service Engine (ISE)—weeks before patches were made available. The findings underscore the growing sophistication and speed of state-sponsored and well-funded adversaries in weaponizing undisclosed security flaws.
The Citrix Zero-Day: “CitrixBleed 2”
The first vulnerability, CVE-2025-5777 (CVSS 9.3), affects Citrix NetScaler ADC and NetScaler Gateway. The flaw, caused by insufficient input validation, leads to an out-of-bounds memory read that can allow unauthorized access to sensitive information.
Citrix issued a patch on June 17, 2025, but exploitation attempts were already underway before the disclosure. Security researcher Kevin Beaumont later dubbed it CitrixBleed 2, comparing it to CVE-2023-4966, a prior NetScaler flaw that allowed multi-factor authentication bypass.
Amazon’s honeypot network detected exploitation activity even before Citrix’s public advisory, confirming that an APT group had early access to the vulnerability and was using it in targeted attacks.
By mid-July, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) had issued a warning, labeling the flaw as posing an “unacceptable risk” to federal networks.
The Cisco ISE Exploit: A Sophisticated Web Shell Attack
The second vulnerability, CVE-2025-20337 (CVSS 10.0), affects Cisco Identity Service Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw resides in a specific API and allows unauthenticated remote code execution with root privileges.
Although Cisco disclosed the issue on July 16, 2025, Amazon’s investigation shows that the same APT group had been exploiting it weeks prior to patch release.
Attackers deployed a custom in-memory web shell masquerading as a legitimate ISE component. This web shell:
Used Java reflection to inject itself into active threads.
Monitored all HTTP traffic on the Tomcat server.
Used DES encryption and non-standard Base64 encoding to hide communication.
Could only be accessed via special HTTP headers, making it extremely stealthy.
Amazon’s analysis revealed that the threat actor demonstrated a deep understanding of enterprise Java systems, Tomcat internals, and Cisco’s architecture, suggesting significant technical expertise or access to insider vulnerability information.
Attribution and Implications
Amazon has not publicly attributed the activity to a specific nation-state, but the precision and resources involved suggest a highly capable, possibly state-linked APT.
The simultaneous exploitation of two major enterprise products highlights a disturbing trend: threat actors are increasingly obtaining or discovering zero-days faster than vendors can patch them.
Amazon’s findings emphasize the need for:
Continuous threat intelligence monitoring for early detection.
Rapid patch management programs.
Defense-in-depth strategies to reduce exposure to zero-day exploitation.
These attacks serve as a reminder that even well-secured enterprises must assume compromise and invest in proactive, adaptive defense mechanisms against advanced adversaries.