SSRF Vulnerabilities Targeted by 400+ IPs in Coordinated Attack

Home/Exploitation, Internet Security, Security Advisory, Security Update, Tips, vulnerability/SSRF Vulnerabilities Targeted by 400+ IPs in Coordinated Attack

SSRF Vulnerabilities Targeted by 400+ IPs in Coordinated Attack

GreyNoise has reported a coordinated wave of attacks exploiting Server-Side Request Forgery (SSRF) vulnerabilities across various platforms. According to the firm, over 400 IP addresses were identified actively targeting multiple SSRF-related CVEs simultaneously, suggesting a well-organized campaign.

SSRF Vulnerability

The activity was first observed on March 9, 2025, with attackers demonstrating a pattern of overlapping techniques.

The targeted regions include major countries like the United States, Germany, Singapore, India, Lithuania, and Japan. Additionally, Israel experienced a noticeable spike in SSRF exploitation attempts on March 11, 2025, indicating the attackers’ expanding focus.

The following SSRF vulnerabilities are currently being exploited:

  • CVE-2017-0929 (CVSS 7.5) – DotNetNuke
  • CVE-2020-7796 (CVSS 9.8) – Zimbra Collaboration Suite
  • CVE-2021-21973 (CVSS 5.3) – VMware vCenter
  • CVE-2021-22054 (CVSS 7.5) – VMware Workspace ONE UEM
  • CVE-2021-22175 (CVSS 9.8) – GitLab CE/EE
  • CVE-2021-22214 (CVSS 8.6) – GitLab CE/EE
  • CVE-2021-39935 (CVSS 7.5) – GitLab CE/EE
  • CVE-2023-5830 (CVSS 9.8) – ColumbiaSoft DocumentLocator
  • CVE-2024-6587 (CVSS 7.5) – BerriAI LiteLLM
  • CVE-2024-21893 (CVSS 8.2) – Ivanti Connect Secure
  • OpenBMCS 2.4 – Authenticated SSRF attempt (No CVE)
  • Zimbra Collaboration Suite – SSRF attempt (No CVE)

These vulnerabilities impact a range of platforms, underscoring the need for immediate patching and security updates.

GreyNoise reported that several IP addresses are targeting multiple SSRF vulnerabilities simultaneously, indicating organized exploitation, automation, or pre-compromise intelligence gathering.

To reduce risks, users are advised to:

  • Apply the latest security patches.
  • Restrict outbound connections to essential endpoints.
  • Monitor for unusual outbound requests.

GreyNoise also warned that modern cloud services often rely on internal metadata APIs, which SSRF exploits can access. Attackers can use this access to map internal networks, identify weak points, and steal cloud credentials.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 158
By | 2025-03-17T22:46:01+05:30 March 14th, 2025|Exploitation, Internet Security, Security Advisory, Security Update, Tips, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!