GreyNoise Detects Unusual SSRF Exploitation Trends Across Multiple CVEs
Key Takeaways
- On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms.
- At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts.
- The top countries receiving SSRF exploitation attempts during the surge were the United States, Germany, Singapore, India, and Japan.
- Israel saw SSRF exploitation activity as early as January, with renewed activity observed in this latest surge.
- Historical parallels: SSRF vulnerabilities played a key role in the Capital One breach (2019), which exposed 100M+ records.
SSRF is a Major Target for Attackers For Good Reason
Among other things, attackers leverage SSRF for:
- Cloud Exploitation: Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited.
- Pivoting and Reconnaissance: SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials.
Recent SSRF Exploitation Trends
GreyNoise is flagging a sharp increase in SSRF exploitation occurring on March 9 across multiple Server-Side Request Forgery (SSRF) vulnerabilities:
- ~ 400 unique IPs have been observed actively exploiting 10 SSRF-related CVEs.
- Many of the same IPs are targeting multiple SSRF vulnerabilities at once, rather than focusing on a single known vulnerability.
- Unlike routine botnet noise, this pattern suggests structured exploitation, automation, or pre-compromise intelligence gathering.
Which CVEs Are Being Exploited?
GreyNoise has identified active exploitation attempts against the following flaws. Click on the links to see real-time exploitation activity and block malicious IPs.
Historical SSRF Exploitation by Destination Country
GreyNoise has identified the following ten countries as having the greatest exploitation activity in the past 6 months across all reported SSRF flaws:
Additional countries seeing early SSRF exploitation, with spikes dating back to December 2024, are: Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia.
SSRF Exploitation in Past 24 Hours Limited to Israel and The Netherlands
Only two countries have been targeted in the past 24 hours:
Recommendations for Defenders
Organizations should take immediate steps to ensure they are not exposed:
- Patch and Harden Affected Systems
- Review patches for the targeted CVEs and apply mitigations where available.
- Restrict Outbound Access Where Possible
- Limit outbound connections from internal apps to only necessary endpoints.
- Monitor for Suspicious Outbound Requests
- Set up alerts for unexpected outbound requests.
- Block Malicious IPs Using GreyNoise
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
