Pierluigi Paganini
March 13, 2025
Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting the attackers may be leveraging Grafana as an initial entry point for deeper exploitation.
The experts believe the attempts are the result of a coordinated attack, threat actors first scan exposed infrastructure before escalating their efforts. In past attacks, attackers exploited Grafana vulnerabilities to access configuration files and internal network details, reinforcing the possibility of reconnaissance-driven targeting.
“On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms.” reads the advisory published by GreyNoise. “At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. “
Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.
The experts warn that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.
GreyNoise observed a significant rise in SSRF exploitation on March 9, with around 400 unique IPs actively targeting 10 SSRF vulnerabilities. Many of these IPs are attempting to exploit multiple vulnerabilities simultaneously rather than targeting a single flaw. This pattern suggests an automation or pre-compromise reconnaissance, rather than typical botnet activity.
Below is the list of SSRF vulnerabilities being exploited in the attacks observed by the experts:
| Tag/CVE (Block Malicious IPs at Link) | Targeted Software |
|---|---|
| CVE-2020-7796 | Zimbra Collaboration Suite |
| CVE-2021-22214 | GitLab CE/EE |
| CVE-2021-39935 | GitLab CE/EE |
| CVE-2021-22175 | GitLab CE/EE |
| CVE-2017-0929 | DotNetNuke |
| CVE-2021-22054 | VMware Workspace ONE UEM |
| CVE-2021-21973 | VMware vCenter |
| CVE-2023-5830 | ColumbiaSoft DocumentLocator |
| CVE-2024-21893 | Ivanti Connect Secure |
| CVE-2024-6587 | BerriAI LiteLLM |
| (No CVE Assigned; See Right Link) | OpenBMCS 2.4 Authenticated SSRF Attempt |
| (No CVE Assigned; See Right Link) | Zimbra Collaboration Suite SSRF Attempt |
Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. Additionally, they should monitor for suspicious outbound requests by setting up alerts for any unexpected activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Meta)
