According to a recent report by threat intelligence firm GreyNoise, there is a coordinated increase in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities across multiple platforms.
The company has observed that at least 400 IP addresses are actively exploiting multiple SSRF Common Vulnerabilities and Exposures (CVEs) simultaneously, with a notable overlap between the attack attempts. This activity was first detected on March 9, 2025.
The countries that have been targeted by SSRF exploitation attempts include the United States, Germany, Singapore, India, Lithuania, and Japan. Additionally, Israel has experienced a surge in exploitation attempts on March 11, 2025.
The following is a list of SSRF vulnerabilities that are being exploited:
GreyNoise has noted that many of the same IP addresses are targeting multiple SSRF vulnerabilities at once, rather than focusing on a single weakness. This pattern of activity suggests a structured exploitation effort, potentially involving automation or pre-compromise intelligence gathering.
Given the active exploitation attempts, it is crucial for users to apply the latest patches, restrict outbound connections to only necessary endpoints, and monitor for suspicious outbound requests.
GreyNoise highlighted the risks associated with SSRF vulnerabilities, stating that “many modern cloud services rely on internal metadata APIs, which can be accessed by SSRF if exploited.” The company warned that SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials.
