A focused marketing campaign exploited Server-Facet Request Forgery (SSRF) vulnerabilities in web sites hosted on AWS EC2 situations to extract EC2 Metadata, which may embrace Id and Entry Administration (IAM) credentials from the IMDSv1 endpoint.
Retrieving IAM credentials permits attackers to escalate their privileges and entry S3 buckets or management different AWS providers, probably resulting in delicate knowledge publicity, manipulation, and repair disruption.
The marketing campaign was found by F5 Labs researchers, who reviews that the malicious exercise culminated between March 13 and 25, 2025. The visitors and behavioral patterns strongly counsel that it was carried out by a single risk actor.
Marketing campaign overview
SSRF issues are internet flaws that allow attackers to “trick” a server into making HTTP requests to inside assets on their behalf, which often should not accessible by the attacker.
Within the marketing campaign noticed by F5, the attackers positioned web sites hosted on EC2 with SSRF flaws, permitting them to remotely question the inner EC2 Metadata URLs and obtain delicate knowledge.
EC2 Metadata is a service in Amazon EC2 (Elastic Compute Cloud) that gives details about a digital machine operating on AWS. This data can embrace configuration particulars, community settings, and probably, safety credentials.
This metadata service is barely accessible by the digital machine by connecting to particular URLs on inside IP addresses, like http://169.254.169.254/newest/meta-data/.
The primary malicious SSRF probe was logged on March 13, however the marketing campaign escalated to full scale between March 15 and 25, using a number of FBW Networks SAS IPs based mostly in France and Romania.
Throughout this time, the attackers rotated six question parameter names (dest, file, redirect, goal, URI, URL) and 4 subpaths (e.g., /meta-data/, /user-data), exhibiting a scientific strategy in exfiltrating delicate knowledge from susceptible websites.
The assaults labored as a result of the susceptible situations had been operating on IMDSv1, AWS’s older metadata service that enables anybody with entry to the occasion to retrieve the metadata, together with any saved IAM credentials.
The system has been outdated by IMDSv2, which requires session tokens (authentication) to guard web sites from SSRF assaults.
Broader exploitation exercise
These assaults had been highlighted in a March 2025 risk developments report the place F5 Labs documented essentially the most exploited vulnerabilities for the previous month.
The highest 4 most exploited CVEs by quantity had been:
- CVE-2017-9841 – PHPUnit distant code execution through eval-stdin.php (69,433 makes an attempt)
- CVE-2020-8958 – Guangzhou ONU OS command injection RCE (4,773 makes an attempt)
- CVE-2023-1389 – TP-Hyperlink Archer AX21 command injection RCE (4,698 makes an attempt)
- CVE-2019-9082 – ThinkPHP PHP injection RCE (3,534 makes an attempt)
.png)
Supply: F5 Labs
The report underlines that older vulnerabilities stay extremely focused, with 40% of exploited CVEs being over 4 years outdated.
To mitigate the threats, it’s endorsed to use the obtainable safety updates, harden router and IoT machine configurations, and change EoL networking tools with supported fashions.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how one can defend towards them.