A recent targeted campaign leveraged Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 instances to steal AWS credentials. Attackers exploited these flaws to access the EC2 Metadata service, potentially gaining access to sensitive Identity and Access Management (IAM) credentials.
This malicious activity, discovered by F5 Labs researchers, occurred between March 13th and 25th, 2025. The consistent patterns strongly suggest a single threat actor was responsible.
Understanding the SSRF Vulnerability and the Attack
SSRF vulnerabilities are web application flaws allowing attackers to trick a server into making HTTP requests to internal resources. These resources are typically inaccessible to the attacker directly. In this campaign, attackers found websites hosted on EC2 with SSRF flaws. This allowed them to remotely query internal EC2 Metadata URLs, retrieving sensitive information.
EC2 Metadata is a service providing information about EC2 instances, including configuration details, network settings, and potentially, IAM credentials. It’s accessible via internal IP addresses like http://169.254.169.254/latest/meta-data/.
The attackers systematically exploited this vulnerability. They rotated six query parameter names (dest, file, redirect, target, URI, URL) and four subpaths (e.g., /meta-data/, /user-data/). This demonstrates a methodical approach to data exfiltration.
The success of these attacks stemmed from the vulnerable instances running IMDSv1, the older AWS metadata service. IMDSv1 allows anyone with instance access to retrieve metadata, including IAM credentials. AWS has since superseded IMDSv1 with IMDSv2, which requires session tokens for authentication, mitigating this type of SSRF attack.
Broader Exploitation Trends and Mitigation
This attack highlights a broader trend. F5 Labs’ March 2025 threat trends report showed that older vulnerabilities remain highly targeted. The top four most exploited CVEs by volume were:
- CVE-2017-9841 – PHPUnit remote code execution (69,433 attempts)
- CVE-2020-8958 – Guangzhou ONU OS command injection (4,773 attempts)
- CVE-2023-1389 – TP-Link Archer AX21 command injection (4,698 attempts)
- CVE-2019-9082 – ThinkPHP PHP injection (3,534 attempts)
The report emphasizes that 40% of exploited CVEs were over four years old. To mitigate these risks, organizations should apply security updates, harden router and IoT device configurations, and replace end-of-life (EoL) networking equipment. Migrating to IMDSv2 is crucial for AWS EC2 instances.
