Amazon's threat intelligence teams have uncovered an advanced persistent threat (APT) exploiting zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix systems. The discovery came through their MadPot honeypot service, which detected attempts to exploit the Citrix Bleed Two vulnerability (CVE-2025-5777) before it was publicly known. Further investigation revealed a previously unknown vulnerability in Cisco ISE, designated CVE-2025-20337. This flaw allowed attackers to execute code remotely on Cisco ISE deployments, granting them administrator-level access even before Cisco issued a CVE number or patches. After exploiting these vulnerabilities, the threat actor deployed a custom web shell called IdentityAuditAction, tailored for Cisco ISE environments. This backdoor was sophisticated, operating entirely in memory and employing advanced evasion techniques. It utilized Java reflection to inject itself into running processes and monitored HTTP requests across the Tomcat server. The web shell implemented encryption methods to avoid detection and required specific HTTP headers for access, indicating a high level of expertise. The implications of these findings are significant. The APT's focus on critical infrastructure like identity management systems highlights the evolving tactics of cybercriminals. Even well-maintained systems are vulnerable to such pre-authentication exploits. Amazon emphasizes the need for security teams to adopt comprehensive defense strategies, limit access to privileged systems, and enhance detection capabilities to spot unusual behaviors.