A coordinated surge in Server-Side Request Forgery (SSRF) exploitation has been detected across multiple widely used platforms, affecting organizations worldwide.
Security monitoring reveals approximately 400 unique IP addresses actively targeting multiple SSRF-related CVEs simultaneously, indicating a sophisticated and potentially dangerous campaign.
The exploitation surge began on March 9, 2025, with attackers showing a pattern of targeting multiple vulnerabilities rather than focusing on a single known weakness.
This coordinated approach suggests structured exploitation, automation, and intelligence gathering rather than routine botnet activity.
The attack pattern demonstrates an unusually systematic approach to exploitation, with many of the same IP addresses cycling between attack attempts on different vulnerabilities.
This behavior differs significantly from typical opportunistic attacks, suggesting a well-organized operation with specific objectives.
GreyNoise analysts identified that these attackers are exploiting at least ten different SSRF-related CVEs.
The researchers noted that exploitation attempts typically involve malicious HTTP requests crafted to trick servers into making unauthorized internal or external requests to arbitrary domains of the attackers’ choosing.
SSRF vulnerabilities allow attackers to abuse server functionality to make HTTP requests to arbitrary domains.
These vulnerabilities are particularly dangerous in cloud environments where they can be leveraged to access internal metadata APIs, map internal networks, locate vulnerable services, and steal cloud credentials.
A typical SSRF exploit might involve a request like the following code example:-
GET /api/fetch?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: vulnerable-server.com
User-Agent: Mozilla/5.0The significance of SSRF vulnerabilities was dramatically highlighted in the 2019 Capital One breach, which exposed over 100 million customer records through similar exploitation techniques.
The current exploitation surge serves as a sobering reminder that SSRF vulnerabilities continue to pose significant risks to organizations worldwide.
Geographical Distribution and Defensive Measures
The United States receiving the highest volume of attacks, followed by India, Lithuania, Canada, Japan, and several European nations.
Israel saw SSRF exploitation activity as early as January 2025, with renewed activity observed in this latest surge.
The top countries receiving SSRF exploitation during the March 9 surge were the United States, Singapore, India, and Japan, suggesting targeted interest in organizations within these regions.
.webp)
Organizations should take immediate steps to ensure they are not exposed to these attacks by patching affected systems against the exploited CVEs, including CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2021-22214 (GitLab CE/EE), CVE-2021-39935 (GitLab CE/EE), CVE-2021-22175 (GitLab CE/EE), CVE-2017-0929 (DotNetNuke), CVE-2021-22054 (VMware Workspace ONE UEM), CVE-2021-21973 (VMware vCenter), CVE-2023-5830 (ColumbiaSoft DocumentLocator), CVE-2024-21893 (Ivanti Connect Secure), CVE-2024-6587 (BerriAI LiteLLM).
Security teams should implement URL validation that rejects or sanitizes user inputs containing internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and restrict outbound connections from internal applications to only necessary endpoints.
Moreover, monitoring for suspicious outbound requests and setting up alerts for unexpected outbound connections can help detect exploitation attempts in progress.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
