Organizations should take immediate steps to ensure they are not exposed to these attacks by patching affected systems against the exploited CVEs, including CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2021-22214 (GitLab CE/EE), CVE-2021-39935 (GitLab CE/EE), CVE-2021-22175 (GitLab CE/EE), CVE-2017-0929 (DotNetNuke), CVE-2021-22054 (VMware Workspace ONE UEM), CVE-2021-21973 (VMware vCenter), CVE-2023-5830 (ColumbiaSoft DocumentLocator), CVE-2024-21893 (Ivanti Connect Secure), CVE-2024-6587 (BerriAI LiteLLM). The top countries receiving SSRF exploitation during the March 9 surge were the United States, Singapore, India, and Japan, suggesting targeted interest in organizations within these regions. The exploitation surge began on March 9, 2025, with attackers showing a pattern of targeting multiple vulnerabilities rather than focusing on a single known weakness. The researchers noted that exploitation attempts typically involve malicious HTTP requests crafted to trick servers into making unauthorized internal or external requests to arbitrary domains of the attackers’ choosing. The current exploitation surge serves as a sobering reminder that SSRF vulnerabilities continue to pose significant risks to organizations worldwide. The attack pattern demonstrates an unusually systematic approach to exploitation, with many of the same IP addresses cycling between attack attempts on different vulnerabilities. The significance of SSRF vulnerabilities was dramatically highlighted in the 2019 Capital One breach, which exposed over 100 million customer records through similar exploitation techniques. A coordinated surge in Server-Side Request Forgery (SSRF) exploitation has been detected across multiple widely used platforms, affecting organizations worldwide. Security teams should implement URL validation that rejects or sanitizes user inputs containing internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and restrict outbound connections from internal applications to only necessary endpoints. Moreover, monitoring for suspicious outbound requests and setting up alerts for unexpected outbound connections can help detect exploitation attempts in progress. Israel saw SSRF exploitation activity as early as January 2025, with renewed activity observed in this latest surge. SSRF vulnerabilities allow attackers to abuse server functionality to make HTTP requests to arbitrary domains. Security monitoring reveals approximately 400 unique IP addresses actively targeting multiple SSRF-related CVEs simultaneously, indicating a sophisticated and potentially dangerous campaign. These vulnerabilities are particularly dangerous in cloud environments where they can be leveraged to access internal metadata APIs, map internal networks, locate vulnerable services, and steal cloud credentials. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 09:25:15 +0000