Introduction
On March 9, 2025, cybersecurity researchers at GreyNoise observed a surge in Server-Side Request Forgery (SSRF) attacks, with over 400 unique IP addresses exploiting multiple known vulnerabilities across widely used platforms. The scale and precision of this attack suggest that it was not a random event but a coordinated campaign targeting organizations worldwide.
How Do We Know the Attack Was Coordinated?
1. Large-Scale Involvement of Unique IPs
One of the most telling signs of coordination is the sheer volume of attackers involved. GreyNoise detected over 400 different IPs participating in the exploitation of various SSRF vulnerabilities. The large number of distinct sources suggests the use of a botnet or distributed attack infrastructure, rather than isolated threat actors working independently.
2. Simultaneous Targeting of Multiple CVEs
Instead of focusing on a single vulnerability, the attackers simultaneously exploited multiple SSRF-related CVEs, including:
- Zimbra Collaboration Suite (CVE-2020-7796)
- GitLab CE/EE (CVE-2021-22214, CVE-2021-39935, CVE-2021-22175)
- DotNetNuke (CVE-2017-0929)
- VMware vCenter (CVE-2021-21973)
- Ivanti Connect Secure (CVE-2024-21893)
- BerriAI LiteLLM (CVE-2024-6587)
The fact that several unrelated platforms were exploited simultaneously indicates pre-planned attack automation rather than random scanning.
3. Geographic Dispersion of Targets
The attacks were global, with organizations in the United States, Germany, Singapore, India, and Japan experiencing high levels of exploitation attempts. Additionally, Israel saw similar SSRF attack activity as early as January 2025, hinting at an ongoing, multi-phase operation rather than a spontaneous event.
4. Automation and Pattern Recognition
Many of the same IP addresses targeted multiple SSRF vulnerabilities in rapid succession, a hallmark of automated attack scripts or botnets. This suggests that the attackers were using a pre-programmed toolset designed to systematically exploit vulnerable systems.
5. Connection to Earlier Reconnaissance Activity
GreyNoise reported an increase in path traversal exploit attempts against Grafana prior to the SSRF attacks. This indicates that attackers were likely mapping out internal network infrastructures first before launching SSRF exploits. This multi-stage approach is commonly used in advanced persistent threats (APTs).
6. Use of Unassigned CVEs
Some of the exploited vulnerabilities had no CVEs assigned yet, including SSRF attempts in OpenBMCS 2.4 and Zimbra Collaboration Suite. This strongly suggests that the attackers had inside knowledge or access to zero-day vulnerabilities, further reinforcing the theory of an organized, well-funded campaign.
Defensive Measures Against SSRF Exploits
With SSRF attacks on the rise, organizations must take proactive steps to mitigate risks:
- Apply Security Patches: Ensure all systems are updated with the latest patches for known vulnerabilities.
- Restrict Outbound Connections: Limit server-side requests to only necessary endpoints.
- Monitor for Anomalous Traffic: Deploy security tools to detect and alert on unusual outbound requests.
- Use Web Application Firewalls (WAFs): Configure WAFs to block unauthorized HTTP requests that could be used for SSRF.
- Leverage Threat Intelligence: Track emerging threats and block known malicious IPs to prevent SSRF attacks.
Conclusion
This SSRF exploitation surge demonstrates a high level of coordination, automation, and planning by threat actors. The attack’s scale, multi-stage approach, and simultaneous targeting of multiple platforms indicate a structured cyber threat operation rather than a random set of opportunistic attacks. Organizations must remain vigilant, prioritize security patches, and implement strong detection measures to mitigate these evolving risks.
Have you observed any unusual network activity related to SSRF attempts? Share your insights in the comments below.
ITInnovationStation 
Leave a comment