On March 9, 2025, threat intelligence firm GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. At least 400 IP addresses have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. The top countries receiving SSRF exploitation attempts during the surge were the US, Germany, Singapore, India, and Japan. GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.
Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location, either internally towards the organization’s network or externally to exfiltrate data. It is one of the OWASP Top 10 Application Security Risks.
Historical parallels: SSRF vulnerabilities played a key role in the 2019 Capital One breach, which exposed 100M+ records.
GreyNoise has identified active exploitation attempts against the following flaws:
- CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
- CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
- CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
- CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
- CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
- CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
- CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
- CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
- CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
- CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
- OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
- Zimbra Collaboration Suite SSRF Attempt (No CVE)
Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. They should also monitor for suspicious outbound requests by setting up alerts for any unexpected activity.
Read more about it here.