A surge in cyberattacks targeting SSRF vulnerabilities has been detected, with over 400 IP addresses actively exploiting multiple flaws across various platforms, according to cybersecurity firm GreyNoise. The scale and sophistication of these attacks suggest an advanced threat actor or a well-organized cybercriminal network leveraging automation for widespread exploitation.
Coordinated Surge in SSRF Exploitation
GreyNoise reported observing this surge on March 9, 2025, highlighting a pattern of coordinated and simultaneous attacks. Rather than targeting a single vulnerability, attackers are focusing on multiple Common Vulnerabilities and Exposures (CVEs), indicating a structured, automated, or intelligence-driven approach. This widespread activity raises concerns about the potential for data breaches, system intrusions, and cloud service exploitation.
The countries most affected by these attacks include the United States, Germany, Singapore, India, Lithuania, and Japan. Notably, Israel experienced a significant rise in SSRF exploitation attempts on March 11, 2025. Given the scale of the attack, organizations in these regions should be on high alert and strengthen their cybersecurity defenses accordingly.
List of Targeted SSRF Vulnerabilities
The ongoing attacks involve the exploitation of several SSRF vulnerabilities, including:
- CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
- CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
- CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
- CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
- CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
- CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
- CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
- CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
- CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
- CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
- OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
- Zimbra Collaboration Suite SSRF Attempt (No CVE)
Automated and Structured Exploitation
GreyNoise noted that many of the attacking IP addresses are exploiting multiple SSRF flaws simultaneously. This suggests a high level of coordination, automation, and possibly pre-compromise reconnaissance efforts. Cybercriminals often use SSRF attacks to bypass security controls, access internal services, and escalate privileges within a network. Such exploitation patterns indicate that the attackers are not simply testing vulnerabilities but actively seeking to compromise sensitive systems.
Why SSRF Attacks Are a Serious Threat
SSRF vulnerabilities are particularly dangerous as they allow attackers to send crafted requests from a vulnerable server to internal systems. This can be used to:
- Map internal networks
- Locate unprotected services
- Steal cloud credentials
- Gain unauthorized access to metadata APIs used by cloud services
- Exploit backend infrastructure to launch further attacks
Modern cloud services often rely on internal metadata APIs, which can be accessed via SSRF vulnerabilities if left unpatched. Once inside, attackers can manipulate cloud configurations, extract credentials, and even deploy malware within cloud environments. This makes SSRF a prime target for both nation-state actors and financially motivated cybercriminals.
Mitigation Strategies to Reduce Risk
With active exploitation in progress, organizations must take immediate steps to protect their systems:
- Apply the latest patches for all affected software to close known security gaps.
- Restrict outbound network connections to only necessary endpoints to minimize exposure.
- Monitor outbound requests for any unusual activity that could indicate exploitation attempts.
- Implement Web Application Firewalls (WAFs) with SSRF-specific detection rules.
- Use network segmentation to limit access to critical internal systems.
- Enforce strict access controls for cloud-based services and metadata APIs.
By taking these proactive security measures, organizations can reduce their risk of SSRF exploitation and mitigate the potential damage caused by these attacks
As SSRF vulnerabilities continue to be actively targeted, organizations must remain vigilant. The sheer scale of this attack campaign indicates that SSRF remains a high-value vector for cybercriminals. Implementing strict security measures, regularly updating software, and monitoring for suspicious traffic can significantly reduce the risk of falling victim to these attacks.
Security teams should also consider threat intelligence services like GreyNoise to stay informed about emerging attack patterns. By leveraging real-time threat intelligence, organizations can proactively defend against evolving cybersecurity threats and protect their critical assets from compromise.
For more cybersecurity news, click here.
