Full Report
Threat intelligence firm GreyNoise is warning of a "coordinated surge" in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities spanning multiple platforms. "At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts," the company said, adding it observed the activity on March 9, 2025. The countries which
Analysis Summary
# Vulnerability: Active Exploitation of Multiple Server-Side Request Forgery (SSRF) Vulnerabilities
## CVE Details
- CVE ID: Multiple listed below (See Affected Systems)
- CVSS Score: Varies by CVE (Scores ranging from 5.3 to 9.8)
- CWE: Identified as Server-Side Request Forgery (SSRF)
## Affected Systems
- Products: DotNetNuke, Zimbra Collaboration Suite, VMware vCenter, VMware Workspace ONE UEM, GitLab CE/EE, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, Ivanti Connect Secure. Unspecified versions of OpenBMCS (2.4).
- Versions: Specific versions are not detailed in the summary, but the associated CVEs indicate known vulnerable release ranges.
- Configurations: General web applications susceptible to SSRF flaws.
## Vulnerability Description
The report details a coordinated cyber attack involving over 400 distinct IP addresses simultaneously exploiting multiple known Server-Side Request Forgery (SSRF) vulnerabilities across various software platforms. SSRF flaws allow an attacker to abuse a server's functionality to make arbitrary requests to internal or external resources. This can be leveraged to map internal networks, locate other vulnerable services, and potentially steal cloud credentials via metadata APIs.
## Exploitation
- Status: **Exploited in the wild** (Coordinated surge observed starting March 9, 2025, targeting specific CVEs).
- Complexity: Implied **Medium** to **Low** given the coordinated, automated nature observed by threat intelligence firms.
- Attack Vector: **Network** (Remote exploitation leveraging the web application interface).
### Targeted CVEs and Severity:
| CVE ID | Product Snapshot | CVSS Score | Severity Equivalent |
| :--- | :--- | :--- | :--- |
| CVE-2017-0929 | DotNetNuke | 7.5 | High |
| CVE-2020-7796 | Zimbra Collaboration Suite | 9.8 | Critical |
| CVE-2021-21973 | VMware vCenter | 5.3 | Medium |
| CVE-2021-22054 | VMware Workspace ONE UEM | 7.5 | High |
| CVE-2021-22175 | GitLab CE/EE | 9.8 | Critical |
| CVE-2021-22214 | GitLab CE/EE | 8.6 | High |
| CVE-2021-39935 | GitLab CE/EE | 7.5 | High |
| CVE-2023-5830 | ColumbiaSoft DocumentLocator | 9.8 | Critical |
| CVE-2024-6587 | BerriAI LiteLLM | 7.5 | High |
| CVE-2024-21893 | Ivanti Connect Secure | 8.2 | High |
| Unspecified | OpenBMCS 2.4 | N/A | N/A |
| Unspecified | Zimbra Collaboration Suite | N/A | N/A |
## Impact
- Confidentiality: **High** (Potential access to internal network details and cloud credentials/metadata).
- Integrity: **High** (Potential for further exploitation on internal systems).
- Availability: **Medium** (Dependent on the target system and nature of the request made via SSRF).
## Remediation
### Patches
Users must apply the latest security patches provided by the respective vendors for all listed affected products. Specific patch details must be sourced from vendor advisories corresponding to the listed CVEs.
### Workarounds
1. **Limit Outbound Connections:** Restrict outbound network connections from affected application servers strictly to necessary endpoints.
2. **Monitor Suspicious Activity:** Implement monitoring for unusual outbound requests originating from application servers, especially those targeting internal IP ranges or cloud metadata endpoints.
## Detection
- Indicators of compromise: High volume of network traffic originating from the application server destined for internal IP addresses not typically accessed externally. Attempts to connect to known cloud provider metadata service endpoints (e.g., AWS EC2 metadata, Azure IMDS).
- Detection methods and tools: Network monitoring tools configured to alert on unexpected outbound connections from web application tiers. Threat intelligence platforms tracking the observed 400+ malicious IPs attempting these simultaneous attacks.
## References
- Vendor advisories are required for specific patching instructions for each CVE.
- GreyNoise Blog Post detailing the surge in exploitation attempts.