A recent report from GreyNoise, a leading threat intelligence firm, has shed light on a dramatic increase in coordinated cyber attacks exploiting Server-Side Request Forgery (SSRF) vulnerabilities across various platforms. The attacks, originating from over 400 different IP addresses, commenced around March 9, 2025, and have impacted a range of nations, including the United States, Germany, Singapore, India, Lithuania, Japan, and Israel. Notably, Israel experienced a significant spike in activity on March 11, 2025.
Exploited Vulnerabilities
The SSRF vulnerabilities being targeted in these attacks are associated with several high-profile systems. Some of the notable vulnerabilities include CVE-2017-0929 affecting DotNetNuke with a CVSS score of 7.5, and CVE-2020-7796 impacting the Zimbra Collaboration Suite, boasting a critical CVSS score of 9.8. Additional vulnerabilities under scrutiny are CVE-2021-21973 in VMware vCenter, CVE-2021-22054 in VMware Workspace ONE UEM, and CVE-2021-22175 affecting GitLab’s Community and Enterprise Editions. These specific vulnerabilities have varying degrees of severity, with CVSS scores ranging from moderate to critical levels.
Moreover, recent vulnerabilities such as CVE-2023-5830 in ColumbiaSoft DocumentLocator and CVE-2024-6587 in BerriAI LiteLLM have also been exploited, each holding a high CVSS score of 9.8 and 7.5, respectively. GreyNoise has also observed attempts to exploit SSRF vulnerabilities in platforms like OpenBMCS 2.4 and Zimbra Collaboration Suite that have not yet been assigned CVE numbers. The broad scope of these vulnerabilities underscores the expansive reach of the current SSRF attack surge, emphasizing that attackers are not focusing solely on one type of system but are broadening their targets to encompass a diverse array of platforms.
Attack Patterns and Recommendations
GreyNoise identifies the patterns of these cyber attacks as indicative of structured exploitation, automation, or pre-compromise intelligence gathering. This assertion is based on the observation that many of the same IP addresses are repeatedly targeting multiple SSRF flaws. This systematic approach suggests a well-coordinated effort aimed at leveraging specific SSRF vulnerabilities to gain unauthorized access and potentially disrupt targeted systems. As a countermeasure, GreyNoise recommends that organizations ensure their systems are updated with the latest patches to mitigate known vulnerabilities.
In addition, organizations are advised to restrict outbound connections to only essential endpoints and actively monitor for any suspicious outbound requests that could signal an ongoing attack. These steps are critical in defending against the sophisticated tactics being employed by cybercriminals in the current wave of SSRF exploits. Given the level of automation and coordination observed, it is clear that attackers are leveraging advanced tools and techniques to maximize their impact, highlighting the importance of robust cybersecurity measures and proactive monitoring.
The Importance of Securing Cloud Services
A new report by GreyNoise, a premier threat intelligence company, highlights a dramatic surge in coordinated cyber attacks targeting Server-Side Request Forgery (SSRF) vulnerabilities across multiple platforms. Originating from more than 400 distinct IP addresses, these attack efforts began around March 9, 2025. The cyber onslaught has affected a diverse array of countries, including the United States, Germany, Singapore, India, Lithuania, Japan, and Israel. Particularly noteworthy, Israel encountered a significant rise in cyber activity on March 11, 2025. SSRF vulnerabilities allow attackers to make unauthorized requests from the server, leading to potential data breaches and other malicious activities. GreyNoise’s detection of such widespread and coordinated attacks underscores the evolving nature of cybersecurity threats. The increasing frequency and scale of these attacks necessitate enhanced security measures. Organizations must stay vigilant, regularly update their defenses, and prioritize cybersecurity to protect against such sophisticated threats that continue to emerge on a global scale.