400+ IPs Exploiting Multiple SSRF Vulnerabilities

GreyNoise warns of a coordinated increase in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities across various platforms.

“At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts,” the company said, adding it observed the activity on March 9, 2025.

• Hot Topic

WhatsApp banned on all US House of Representatives devices

By F2 / Tuesday , June 24 2025

The U.S. House of Representatives has banned congressional staff from using WhatsApp on government devices due to security concerns, as...

Read More

• Alert

Kaspersky found “SparkKitty” Malware on Google Play, Apple App Store

By F2 / Tuesday , June 24 2025

Kaspersky found a new mobile malware dubbed SparkKitty in Google Play and Apple App Store apps, targeting Android and iOS....

Read More

• International

OWASP AI Testing Guide Launched to Uncover Vulns in AI Systems

By F2 / Tuesday , June 24 2025

OWASP has released its AI Testing Guide, a framework to help organizations find and fix vulnerabilities specific to AI systems....

Read More

• Bank
• National

Axentec Launches Bangladesh’s First Locally Hosted Tier-4 Cloud Platform

By F2 / Tuesday , June 24 2025

In a major milestone for the country’s digital infrastructure, Axentec PLC has officially launched Axentec Cloud, Bangladesh’s first Tier-4 cloud...

Read More

• Alert
• Cyber Attack

Hackers Bypass Gmail MFA With App-Specific Password Reuse

By infosecbulletin / Monday , June 23 2025

A hacking group reportedly linked to Russian government has been discovered using a new phishing method that bypasses two-factor authentication...

Read More

• Cyber Attack

Russia detects first SuperCard malware attacks via NFC

By infosecbulletin / Wednesday , June 18 2025

Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...

Read More

• Cyber Attack
• Data Breach

Income Property Investments exposes 170,000+ Individuals record

By infosecbulletin / Tuesday , June 17 2025

Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...

Read More

• Alert
• Cyber Attack
• Vulnerabilities

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

By infosecbulletin / Tuesday , June 17 2025

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...

Read More

• Alert
• Vulnerabilities

CISA Flags Active Exploits in Apple iOS and TP-Link Routers

By infosecbulletin / Tuesday , June 17 2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...

Read More

• Data Breach

10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

By infosecbulletin / Monday , June 16 2025

SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...

Read More

Countries targeted by SSRF exploitation attempts include the United States, Germany, Singapore, India, Lithuania, Japan, and notably Israel, which experienced a surge on March 11, 2025.

The list of SSRF vulnerabilities being exploited are listed below:

CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
Zimbra Collaboration Suite SSRF Attempt (No CVE)

Many of the same IP addresses are targeting multiple SSRF vulnerabilities simultaneously, indicating organized exploitation or automated attacks.

Users should apply the latest patches, restrict outbound connections to only what’s necessary, and watch for any suspicious outbound requests due to ongoing exploitation attempts.

“Many modern cloud services rely on internal metadata APIs, which SSRF can access if exploited,” GreyNoise said. “SSRF can be used to map internal networks, locate vulnerable services, and steal cloud credentials.”