Cybersecurity intelligence firm GreyNoise has detected a well-orchestrated escalation in the abuse of Server-Side Request Forgery (SSRF) vulnerabilities, with multiple attack vectors spanning diverse infrastructures.
“More than 400 distinct IP addresses have been observed aggressively exploiting multiple SSRF CVEs in unison, with significant overlaps in attack methodologies,” the company reported, noting that March 9, 2025, marked the emergence of this coordinated offensive.
Global Hotspots of SSRF Intrusions
Nations grappling with these systematic intrusion attempts include the United States, Germany, Singapore, India, Lithuania, and Japan. A particular surge in exploitation activity was noted in Israel on March 11, 2025.
Catalog of Exploited SSRF Vulnerabilities
The array of SSRF security loopholes currently under active exploitation includes:
- CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
- CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
- CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
- CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
- CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
- CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
- CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
- CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
- CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
- CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
- OpenBMCS 2.4 Authenticated SSRF Attack (No CVE assigned)
- Zimbra Collaboration Suite SSRF Attack (No CVE assigned)
Indicators of Systematic Exploitation
GreyNoise has underscored that numerous IPs are simultaneously assaulting multiple SSRF vulnerabilities, rather than singularly focusing on isolated flaws. This behavioral pattern strongly hints at automated attacks, structured exploitation methodologies, or even preemptive reconnaissance aimed at mapping out vulnerabilities before a deeper breach.
Mitigation Strategies: Proactive Defense Against SSRF Attacks
Given the active and escalating nature of these exploitation attempts, organizations are urged to fortify their defenses by:
- Applying the latest security patches to remediate known SSRF vulnerabilities.
- Constraining outbound requests to only essential endpoints.
- Monitoring network activity for anomalous outbound traffic, which could indicate a potential breach.
GreyNoise further warns that SSRF flaws can serve as conduits for more extensive network reconnaissance. Many modern cloud services leverage internal metadata APIs, which—when compromised—enable attackers to enumerate internal networks, locate exploitable services, and extract cloud credentials.
Immediate vigilance and preemptive patching remain imperative to thwart these highly orchestrated cyber offensives.
