Over 400 IPs Exploiting Multiple SSRF Vulnerabilities – A Coordinated Cyber Offensive

A significant wave of Server-Side Request Forgery (SSRF) attacks has been detected across multiple platforms, with at least 400 unique IPs actively exploiting multiple SSRF CVEs. The scale and structured nature of this campaign suggest automation, coordinated attack planning, and possibly pre-compromise intelligence gathering.

The Nature of SSRF and Why It’s Dangerous

SSRF is a highly exploitable web security vulnerability that allows attackers to manipulate server-side requests. By exploiting SSRF, adversaries can:

• Access internal systems that are otherwise unreachable from the internet.
• Bypass security controls like firewalls and allowlist-based access restrictions.
• Extract sensitive metadata from cloud services, including IAM credentials.
• Facilitate further attacks, such as lateral movement and privilege escalation.

Given the growing reliance on cloud services and internal metadata APIs, SSRF remains one of the most dangerous attack vectors in modern enterprise environments.

Coordinated Exploitation Across Multiple Platforms

GreyNoise, a leading threat intelligence firm, has confirmed that these 400+ IPs are not only engaging in widespread exploitation but also targeting multiple SSRF vulnerabilities concurrently. This behavior indicates a high degree of automation, with attackers deploying scripts or botnets to maximize attack surface coverage.

Affected CVEs

The vulnerabilities under active exploitation span various platforms, including enterprise collaboration suites, cloud management tools, and application frameworks:

CVECVSS ScoreAffected Software

CVE-2017-09297.5DotNetNuke

CVE-2020-77969.8Zimbra Collaboration Suite

CVE-2021-219735.3VMware vCenter

CVE-2021-220547.5VMware Workspace ONE UEM

CVE-2021-221759.8GitLab CE/EE

CVE-2021-222148.6GitLab CE/EE

CVE-2021-399357.5GitLab CE/EE

CVE-2023-58309.8ColumbiaSoft DocumentLocator

CVE-2024-65877.5BerriAI LiteLLM

CVE-2024-218938.2Ivanti Connect SecureOpenBMCS 2.4(No CVE)OpenBMCS Authenticated SSRFZimbra Suite(No CVE)Zimbra SSRF Exploit

Observed Attack Patterns

The attack telemetry shows that the targeted systems belong to high-profile organizations across multiple regions, including the United States, Germany, Singapore, India, Lithuania, Japan, and Israel. Notably, Israel saw a surge in attacks on March 11, 2025.

The attack methodology appears to follow a predictable cycle:

1. Scanning & Reconnaissance – Attackers probe vulnerable instances across the internet.
2. Automated Exploitation – Multiple SSRF vulnerabilities are exploited in quick succession.
3. Credential Theft & Internal Lateral Movement – If successful, attackers access cloud metadata APIs to retrieve credentials and expand their foothold within the target's infrastructure.
4. Data Exfiltration & Post-Exploitation – Attackers siphon sensitive information and escalate privileges within compromised environments.

Defensive Strategies Against SSRF Exploits

With SSRF actively exploited at scale, organizations must prioritize proactive mitigation measures:

1. Patch and Update Vulnerable Systems

Ensure that all systems are running the latest patches for affected software. Many of the exploited CVEs have security updates available, but unpatched systems remain an easy target.

2. Restrict Outbound Connections

• Limit server-to-server HTTP requests.
• Implement egress filtering to block unauthorized access to internal metadata APIs.
• Use network segmentation to prevent unauthorized requests from reaching critical infrastructure.

3. Enforce Strong IAM Controls

• Monitor for unusual API requests originating from internal servers.
• Rotate credentials regularly, particularly for cloud IAM roles.
• Utilize short-lived, scoped credentials rather than long-lived API keys.

4. Implement Web Application Firewalls (WAFs)

A WAF with SSRF-specific rules can help mitigate malicious HTTP requests, blocking suspicious payloads before they reach the backend servers.

5. Monitor and Detect SSRF Attacks

• Use threat intelligence feeds (such as GreyNoise) to identify known attacker IPs.
• Employ SIEM and XDR solutions to flag anomalous outbound requests that could indicate SSRF exploitation attempts.
• Enable logging and alerting for HTTP requests originating from unexpected internal sources.

Conclusion

The surge in SSRF exploitation across multiple vulnerabilities is a clear signal that adversaries are refining their tactics. The sheer scale—400+ IPs targeting multiple CVEs simultaneously—suggests structured, automated, and large-scale exploitation.

Organizations must act swiftly to mitigate these risks by patching vulnerabilities, implementing network restrictions, and monitoring outbound requests for suspicious activity. With cloud services increasingly reliant on internal metadata APIs, securing against SSRF-based reconnaissance and credential theft is more critical than ever.

Call to Action

Have you assessed your exposure to SSRF vulnerabilities? What steps are you taking to defend against these threats? Let’s discuss best practices for mitigating large-scale coordinated cyberattacks in the comments.