A coordinated surge in Server-Side Request Forgery (SSRF) exploitation has been detected across multiple widely used platforms, affecting organizations worldwide.<\/p>\n
Security monitoring reveals approximately 400 unique IP addresses actively targeting multiple SSRF-related CVEs simultaneously, indicating a sophisticated and potentially dangerous campaign.<\/p>\n
The exploitation surge began on March 9, 2025, with attackers showing a pattern of targeting multiple vulnerabilities rather than focusing on a single known weakness.<\/p>\n
This coordinated approach suggests structured exploitation, automation, and intelligence gathering rather than routine botnet activity.<\/p>\n
The attack pattern demonstrates an unusually systematic approach to exploitation<\/a>, with many of the same IP addresses cycling between attack attempts on different vulnerabilities.<\/p>\n This behavior differs significantly from typical opportunistic attacks, suggesting a well-organized operation with specific objectives.<\/p>\n GreyNoise analysts identified<\/a> that these attackers are exploiting at least ten different SSRF-related CVEs.<\/p>\n The researchers noted that exploitation attempts typically involve malicious HTTP requests crafted to trick servers into making unauthorized internal or external requests to arbitrary domains of the attackers\u2019 choosing.<\/p>\n SSRF vulnerabilities allow attackers to abuse server functionality to make HTTP<\/a> requests to arbitrary domains.<\/p>\n These vulnerabilities are particularly dangerous in cloud environments where they can be leveraged to access internal metadata APIs, map internal networks, locate vulnerable services, and steal cloud credentials.<\/p>\n A typical SSRF exploit might involve a request like the following code example:-<\/p>\n The significance of SSRF vulnerabilities was dramatically highlighted in the 2019 Capital One breach, which exposed over 100 million customer records through similar exploitation techniques.<\/p>\n The current exploitation surge serves as a sobering reminder that SSRF vulnerabilities continue to pose significant risks to organizations worldwide.<\/p>\n The United States receiving the highest volume of attacks, followed by India, Lithuania, Canada, Japan, and several European nations.<\/p>\n Israel saw SSRF exploitation activity as early as January 2025, with renewed activity observed in this latest surge.<\/p>\n The top countries receiving SSRF exploitation during the March 9 surge were the United States, Singapore, India, and Japan, suggesting targeted interest in organizations within these regions.<\/p>\n Organizations should take immediate steps to ensure they are not exposed to these attacks by patching affected systems against the exploited CVEs, including CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2021-22214 (GitLab CE\/EE), CVE-2021-39935 (GitLab CE\/EE), CVE-2021-22175 (GitLab CE\/EE), CVE-2017-0929 (DotNetNuke), CVE-2021-22054 (VMware Workspace ONE UEM), CVE-2021-21973 (VMware vCenter), CVE-2023-5830 (ColumbiaSoft DocumentLocator), CVE-2024-21893 (Ivanti Connect Secure), CVE-2024-6587 (BerriAI LiteLLM).<\/p>\n Security teams should implement URL validation that rejects or sanitizes user inputs containing internal IP ranges (10.0.0.0\/8, 172.16.0.0\/12, 192.168.0.0\/16) and restrict outbound connections from internal applications<\/a> to only necessary endpoints.<\/p>\n Moreover, monitoring<\/a> for suspicious outbound requests and setting up alerts for unexpected outbound connections can help detect exploitation attempts in progress.<\/p>\n The post 400+ IPs Actively Exploiting Multiple SSRF Vulnerabilities In The Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGET \/api\/fetch?url=http:\/\/169.254.169.254\/latest\/meta-data\/ HTTP\/1.1\nHost: vulnerable-server.com\nUser-Agent: Mozilla\/5.0<\/code><\/pre>\nGeographical Distribution and Defensive Measures<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhuTpl3KAuLqa907CgBngdfsJYSFMY2SzfZNk9z-fKL753S7z745i5H5zg0_7olFywjYwO6yFLwCe5anFcLI9EyIBwJxd9WVjpmpjwmMv5wDB91ACpH7yqwyAPflO4UjV9cuJPihvuWwm8WZhW6c2ZJse22JRxhMilHYuS0PZADaZ-t9vwbyRmNveMzpIM\/s16000\/SSRF%2520Attack%2520Distribution%2520by%2520Destination%2520Country%2520%28Source%2520-%2520GreyNoise%29.webp?ssl=1\")
Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong><\/p>\n