Threat intelligence firm GreyNoise has identified a coordinated campaign targeting Server-Side Request Forgery (SSRF) vulnerabilities across multiple platforms. On March 9, 2025, at least 400 IP addresses were observed simultaneously exploiting numerous SSRF vulnerabilities, with significant overlap between attack attempts.

The primary targets include organizations in the United States, Germany, Singapore, India, Lithuania, and Japan, with Israel experiencing a notable surge on March 11, 2025.

## Vulnerabilities Under Exploitation

The campaign targets multiple SSRF vulnerabilities:

– CVE-2017-0929 (CVSS 7.5) – DotNetNuke
– CVE-2020-7796 (CVSS 9.8) – Zimbra Collaboration Suite
– CVE-2021-21973 (CVSS 5.3) – VMware vCenter
– CVE-2021-22054 (CVSS 7.5) – VMware Workspace ONE UEM
– CVE-2021-22175 (CVSS 9.8) – GitLab CE/EE
– CVE-2021-22214 (CVSS 8.6) – GitLab CE/EE
– CVE-2021-39935 (CVSS 7.5) – GitLab CE/EE
– CVE-2023-5830 (CVSS 9.8) – ColumbiaSoft DocumentLocator
– CVE-2024-6587 (CVSS 7.5) – BerriAI LiteLLM
– CVE-2024-21893 (CVSS 8.2) – Ivanti Connect Secure
– OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
– Zimbra Collaboration Suite SSRF Attempt (No CVE)

GreyNoise reports that attackers are targeting multiple vulnerabilities simultaneously rather than focusing on a single weakness, suggesting structured exploitation, automation, or pre-compromise intelligence gathering.

## Mitigation Recommendations

Organizations should:
– Apply the latest security patches
– Restrict outbound connections to necessary endpoints only
– Monitor for suspicious outbound requests

GreyNoise warns that SSRF vulnerabilities can be particularly dangerous in cloud environments, as they can be exploited to access internal metadata APIs, map internal networks, locate vulnerable services, and steal cloud credentials.