Latest Cyber Security News

You are here: Home / General Cyber Security News / Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
March 12, 2025

Threat intelligence firm GreyNoise is warning of a “coordinated surge” in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities spanning multiple platforms.

“At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts,” the company said, adding it observed the activity on March 9, 2025.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The countries which have emerged as the target of SSRF exploitation attempts include the United States, Germany, Singapore, India, Lithuania, and Japan. Another notable country is Israel, which has witnessed a surge on March 11, 2025.

Cybersecurity

The list of SSRF vulnerabilities being exploited are listed below –

  • CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
  • CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
  • CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
  • CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
  • CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
  • CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
  • CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
  • CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
  • CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
  • CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
  • OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
  • Zimbra Collaboration Suite SSRF Attempt (No CVE)

Cybersecurity

GreyNoise said that many of the same IP addresses are targeting multiple SSRF flaws at once rather than focusing on one particular weakness, noting the pattern of activity suggests structured exploitation, automation, or pre-compromise intelligence gathering.

In light of active exploitation attempts, it’s essential that users apply the latest patches, limit outbound connections to necessary endpoints, and monitor for suspicious outbound requests.

“Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited,” GreyNoise said. “SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *