GreyNoise Intelligence has observed a significant increase in Server-Side Request Forgery (SSRF) exploitation activity, with over 400 IPs actively targeting multiple vulnerabilities.
This coordinated campaign is affecting widely used platforms and software, including Zimbra Collaboration Suite, GitLab CE/EE, VMware Workspace ONE UEM, and others.
The exploitation pattern indicates structured attacks involving automation or pre-compromise reconnaissance rather than routine botnet noise.
Surge in SSRF Exploitation Across Multiple CVEs
The affected CVEs include vulnerabilities such as CVE-2020-7796 (Zimbra Collaboration Suite), CVE-2021-22214 (GitLab CE/EE), CVE-2021-22054 (VMware Workspace ONE UEM), and CVE-2024-21893 (Ivanti Connect Secure), among others.
Notably, attackers are simultaneously targeting multiple SSRF flaws rather than focusing on individual vulnerabilities.
This approach underscores the attackers’ ability to exploit SSRF for cloud exploitation, internal network mapping, and credential theft.
Global Impact and Historical Context
The United States, Germany, Singapore, India, and Japan have been identified as the top countries experiencing SSRF exploitation attempts during this surge.
Israel has also seen renewed activity following earlier exploitation trends observed in January.
Historical parallels highlight the critical nature of SSRF vulnerabilities; for instance, the Capital One breach in 2019 exploited an SSRF flaw to expose over 100 million records.
GreyNoise data from the past six months reveals that other countries, including Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia, have also experienced spikes in SSRF exploitation activity.
However, recent activity in the past 24 hours has been limited to Israel and the Netherlands.
To mitigate risks associated with SSRF exploitation, organizations are advised to patch affected systems promptly by reviewing updates for targeted CVEs.
Restricting outbound access from internal applications to essential endpoints can help limit exposure.
Additionally, monitoring for suspicious outbound requests and blocking malicious IPs identified by GreyNoise are critical steps to enhance security posture.
GreyNoise provides real-time data on malicious IPs linked to specific CVEs, enabling defenders to take proactive measures against ongoing threats.
The platform’s intelligence highlights structured attack patterns that demand immediate attention from security teams.
The surge in SSRF exploitation underscores the importance of addressing these vulnerabilities promptly to prevent potential breaches.
As attackers continue to leverage SSRF for cloud exploitation and reconnaissance purposes, organizations must prioritize patching efforts and adopt robust monitoring practices.
GreyNoise’s insights offer actionable intelligence to help defenders stay ahead of emerging threats in an increasingly complex cybersecurity landscape.
 exploitation activity.){kind=link}