According to their analysis, over 400 IP addresses have been observed simultaneously targeting multiple SSRF CVEs, indicating a structured approach in these attack attempts. This surge in malicious activity was first detected on March 9, 2025.
Global Targets of SSRF Exploitation
The cyberattacks have been predominantly directed at organizations in various countries, including:
United States
Germany
Singapore
India
Lithuania
Japan
Israel (which experienced a significant increase in attacks on March 11, 2025)
List of Exploited SSRF Vulnerabilities
The following SSRF vulnerabilities have been actively targeted during these attacks:
CVE-2017-0929 (CVSS Score: 7.5) – DotNetNuke
CVE-2020-7796 (CVSS Score: 9.8) – Zimbra Collaboration Suite
CVE-2021-21973 (CVSS Score: 5.3) – VMware vCenter
CVE-2021-22054 (CVSS Score: 7.5) – VMware Workspace ONE UEM
CVE-2021-22175 (CVSS Score: 9.8) – GitLab CE/EE
CVE-2021-22214 (CVSS Score: 8.6) – GitLab CE/EE
CVE-2021-39935 (CVSS Score: 7.5) – GitLab CE/EE
CVE-2023-5830 (CVSS Score: 9.8) – ColumbiaSoft DocumentLocator
CVE-2024-6587 (CVSS Score: 7.5) – BerriAI LiteLLM
CVE-2024-21893 (CVSS Score: 8.2) – Ivanti Connect Secure
OpenBMCS 2.4 (Authenticated SSRF Attempt – No CVE assigned)
Zimbra Collaboration Suite (SSRF Attempt – No CVE assigned)
Coordinated and Automated Exploitation
GreyNoise has noted that multiple IP addresses are launching simultaneous attacks on various SSRF vulnerabilities rather than concentrating on a single exploit. This pattern suggests a structured, automated attack strategy or pre-compromise intelligence gathering efforts by threat actors.
Mitigation and Security Recommendations
To counter these active SSRF exploitation attempts, organizations are advised to:
Apply the latest security patches for affected software.
Restrict outbound connections to only essential endpoints.
Monitor suspicious outbound requests to detect potential attacks.
Why SSRF Attacks Are Dangerous
Many modern cloud-based services rely on internal metadata APIs, which can become vulnerable if an SSRF flaw is exploited. Attackers can leverage SSRF to:
Map internal networks
Identify vulnerable services
Steal sensitive cloud credentials
Given the growing sophistication of cyber threats, staying vigilant and implementing proactive security measures is critical to minimizing risks.
