Surge in Server-Side Request Forgery Exploits Detected Across Multiple Platforms
GreyNoise, a threat intelligence firm, has issued an alarming warning regarding a “coordinated surge” in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities across various platforms. This uptick, first identified on March 9, 2025, is particularly notable for involving at least 400 unique IP addresses that have been simultaneously targeting multiple SSRF Common Vulnerabilities and Exposures (CVEs). Observations of the exploit attempts indicate a significant overlap among the targeted systems, hinting at a structured and possibly automated approach to the attack.
The nations predominantly affected by these SSRF exploitation strategies include the United States, Germany, Singapore, India, Lithuania, Japan, and Israel. Notably, Israel has seen intensified activity as of March 11, 2025, marking it as a focal point for these threats. The widespread nature of these attacks raises concerns about the potential consequences for organizations operating within these jurisdictions.
Among the exploited vulnerabilities are several with critical CVSS scores, including CVE-2020-7796 affecting the Zimbra Collaboration Suite, which has a notably high score of 9.8. Other notable vulnerabilities include CVE-2021-22175 related to GitLab CE/EE, also scoring 9.8. This level of exploitation signifies serious risks for organizations that have not yet patched these flaws, emphasizing the urgent need for cybersecurity strategies to mitigate exposure.
GreyNoise emphasizes an emerging pattern: many of the attacking IPs are not merely focusing on a single vulnerability but are targeting multiple flaws concurrently. This behavior suggests possible prior reconnaissance or intelligence-gathering efforts by the attackers, highlighting adversarial tactics such as initial access and exploitation in line with the MITRE ATT&CK framework. Techniques relevant to this type of activity include “Exploit Public-Facing Application” and “Command and Control” to maintain connections with compromised systems.
The firm further warns of the potential catastrophic implications of SSRF vulnerabilities, particularly in relation to modern cloud services that rely on internal metadata APIs. If exploited, SSRF can grant attackers access to sensitive internal network information and cloud credentials, paving the way for more extensive compromises.
In recent updates, GreyNoise reported that unidentified threat actors may also be leveraging Grafana applications to gain footholds in targeted environments. Observations of attempted path traversal in Grafana services coincided with the SSRF surge, further implying that attackers are utilizing reconnaissance techniques to identify valuable targets prior to executing their attacks.
To defend against this rising threat, it is imperative for organizations to apply the latest patches for relevant vulnerabilities, restrict outbound connections to only necessary endpoints, and maintain vigilant monitoring for any dubious outbound requests. Given the comprehensive nature of this particular wave of attacks, the necessity of proactive cybersecurity measures cannot be overstated.
As this situation evolves, business stakeholders are advised to remain vigilant and informed about the ongoing risks associated with SSRF vulnerabilities, alongside others that may emerge in the increasingly complex cyber threat landscape.
