A focused marketing campaign exploited Server-Facet Request Forgery (SSRF) vulnerabilities in web sites hosted on AWS EC2 situations to extract EC2 Metadata, which may embrace Id and Entry Administration (IAM) credentials from the IMDSv1 endpoint.
Retrieving IAM credentials permits attackers to escalate their privileges and entry S3 buckets or management different AWS providers, doubtlessly resulting in delicate knowledge publicity, manipulation, and repair disruption.
The marketing campaign was found by F5 Labs researcherswho experiences that the malicious exercise culminated between March 13 and 25, 2025. The site visitors and behavioral patterns strongly counsel that it was carried out by a single menace actor.
Marketing campaign overview
SSRF issues are internet flaws that allow attackers to “trick” a server into making HTTP requests to inside assets on their behalf, which often are usually not accessible by the attacker.
Within the marketing campaign noticed by F5, the attackers situated web sites hosted on EC2 with SSRF flaws, permitting them to remotely question the inner EC2 Metadata URLs and obtain delicate knowledge.
EC2 Metadata is a service in Amazon EC2 (Elastic Compute Cloud) that gives details about a digital machine working on AWS. This info can embrace configuration particulars, community settings, and doubtlessly, safety credentials.
This metadata service is just accessible by the digital machine by connecting to particular URLs on inside IP addresses, like http://169.254.169.254/newest/meta-data/.
The primary malicious SSRF probe was logged on March 13, however the marketing campaign escalated to full scale between March 15 and 25, using a number of FBW Networks SAS IPs primarily based in France and Romania.
Throughout this time, the attackers rotated six question parameter names (dest, file, redirect, goal, URI, URL) and 4 subpaths (e.g., /meta-data/, /user-data), displaying a scientific strategy in exfiltrating delicate knowledge from weak websites.
The assaults labored as a result of the weak situations have been working on IMDSv1, AWS’s older metadata service that enables anybody with entry to the occasion to retrieve the metadata, together with any saved IAM credentials.
The system has been outmoded by IMDSv2, which requires session tokens (authentication) to guard web sites from SSRF assaults.
Broader exploitation exercise
These assaults have been highlighted in a March 2025 menace developments report the place F5 Labs documented probably the most exploited vulnerabilities for the previous month.
The highest 4 most exploited CVEs by quantity have been:
CVE-2017-9841 – PHPUnit distant code execution by way of eval-stdin.php (69,433 makes an attempt)
CVE-2020-8958 – Guangzhou ONU OS command injection RCE (4,773 makes an attempt)
CVE-2023-1389 – TP-Hyperlink Archer AX21 command injection RCE (4,698 makes an attempt)
CVE-2019-9082 – ThinkPHP PHP injection RCE (3,534 makes an attempt)
.png)
Exploitation volumes
Supply: F5 Labs
The report underlines that older vulnerabilities stay extremely focused, with 40% of exploited CVEs being over 4 years previous.
To mitigate the threats, it is strongly recommended to use the obtainable safety updates, harden router and IoT gadget configurations, and substitute EoL networking gear with supported fashions.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend in opposition to them.
