An advanced threat actor is exploiting two previously disclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC to deploy custom malware and maintain persistence on targeted networks. Reports indicate the attacker is chaining appliance exploits to execute payloads on hosts, ensuring a foothold for follow-on activity and data exfiltration. Continue reading this Cybersecurity Threat Advisory to learn how to protect your environment against this campaign.
What is the threat?
An APT group is exploiting unpatched Cisco ISE and Citrix NetScaler ADC vulnerabilities to run code and deploy custom malware. These network management appliances grant privileged access and can serve as pivot points into internal resources when compromised.
Why is it noteworthy?
These were zero‑day vulnerabilities actively exploited in the wild against production infrastructure, creating an urgent risk for affected organizations. Network appliances like Cisco ISE and Citrix NetScaler are high‑value targets because they manage authentication, access control, and traffic for multiple services—meaning a compromise can have broad impact beyond a single host. Amazon, Cisco, Citrix, and CISA advisories detail this campaign, underscoring its severity and widespread concern.
What is the exposure or risk?
Any organization running vulnerable versions of Cisco ISE or Citrix NetScaler ADC with network exposure—especially if management interfaces are accessible from untrusted networks—is at immediate risk of remote exploitation and subsequent lateral movement. Public advisories, including those from CISA, highlight Citrix NetScaler variants because attackers have exploited them in prior campaigns with significant impact.
What are the recommendations?
Barracuda recommends the following actions to secure your network infrastructure and systems:
- Identify all Cisco ISE and Citrix NetScaler ADC/ADC-LB appliances and record software/firmware versions and network exposure. Confirm whether management interfaces are reachable from untrusted networks.
- Apply vendor patches or emergency mitigations from Cisco and Citrix immediately where available; if a vendor patch is not yet applied, follow vendor-recommended workarounds to block the vulnerable endpoint paths or limit access.
- Immediately restrict access to appliance management interfaces to trusted admin networks or jump hosts and enforce TLS, IP allow-listing, and strong authentication. Place appliances on isolated management VLANs and block management ports at the perimeter when reachable from untrusted space. Hunting, detection and validation
- Inspect scheduled tasks, new accounts, unusual service installs, and any modified configuration on appliances and adjacent hosts. Validate integrity of backups and configuration exports.
- Apply WAF/NACS/IPS signatures to detect and block exploitation attempts and update IDS/IPS and EDR detections with vendor/Intel signatures where available. Remediation & containment.
- If exploitation is suspected, isolate affected appliances, preserve full logs and memory snapshots (for forensic review), rotate administrative credentials and service accounts, and use offline backups to validate data integrity.
- Enforce least-privilege admin access, MFA for management access where supported, network segmentation, monitoring, and change control for appliance firmware/patching.
- Consider enabling additional telemetry and patch-management controls for infrastructure appliances and update incident response playbooks to include appliance compromise scenarios.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/07/cisco-warns-of-critical-ise-flaw.html
- https://thehackernews.com/2025/07/cisco-confirms-active-exploits.html
- https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
- https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
