With Black Friday fast approaching, and the security issues surrounding it already making headlines, any mention of Amazon in an exploit story is bound to get the pulse racing. But you can relax, as this isn’t another Amazon Web Services authentication issue, nor a viral, if totally without legitimacy, Amazon Ring hacking claim. So, what then are the CVE-2025-5777 and CVE-2025-20337 zero-day vulnerabilities used in hack attacks by an “advanced threat actor” that the Amazon Threat Intelligence team has newly confirmed? Here’s everything you need to know.
Amazon Threat Intelligence Confirms Advanced Hacker Exploiting Two Zero-Day Vulnerabilities
Not all zero-day threat stories are worth getting unduly excited about. Some, such as the CVE-2025-5777 and CVE-2025-20337 zero-days that Amazon has confirmed were used simultaneously in an attempt to access critical identity and network access control infrastructure, however, are a different kettle of pre-authentication attack concern.
Amazon’s chief information security officer and vice president of security engineering, CJ Moses, has published confirmation of an advanced persistent attacker using two separate and previously undisclosed zero-day vulnerabilities in an exploit campaign against those systems used by enterprises to enforce their security policies and manage authentication.
Amazon MadPot Honeypot Strikes Again
The hacking campaign was caught by the Amazon MadPot honeypot, a decoy network designed purely to lure unsuspecting attackers into thinking they are hard enough and clever enough to succeed, which detected “exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure,” Moses said. Analysis by the Amazon security boffins further identified “an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.” That was, it turned out, another zero-day. CVE-2025-20337 enabled attackers to get pre-authentication remote code execution on Cisco ISE deployments, and as a result, administrator access to compromised systems. “What made this discovery particularly concerning,” Moses warned, “was that exploitation was occurring in the wild before Cisco had assigned a CVE number or released comprehensive patches across all affected branches of Cisco ISE.”
Amazon Security Recommendations, Citrix And Cisco Patches Already Available
Moses said that security teams should use this information as “a reminder that critical infrastructure components like identity management systems and remote access gateways remain prime targets for threat actors.” Amazon recommends limiting access, through firewalls or layered access, to privileged security appliance endpoints such as management portals. You can find out more about the zero-days and patches directly from Citrix and Cisco.
