A recent targeted campaign leveraged Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances. This allowed attackers to extract sensitive EC2 Metadata, including IAM credentials from the IMDSv1 endpoint. By retrieving IAM credentials, attackers could escalate privileges, potentially gaining access to S3 buckets or controlling other AWS services. This could lead to sensitive data exposure, manipulation, or even service disruption across the affected systems.
The malicious campaign was discovered by F5 Labs researchers, who tracked it between March 13 and 25, 2025. The campaign’s traffic and behavior strongly indicated a single threat actor was responsible for the attacks. The attackers exploited SSRF flaws in websites hosted on EC2 instances, which allowed them to query internal EC2 Metadata URLs and retrieve sensitive data remotely. This data often included critical security credentials that could be used for further exploitation.
The EC2 Metadata service, which provides data about a running virtual machine on AWS, was the target of the SSRF attacks. Normally, this service is accessible only from within the instance, via internal IP addresses like http://169.254.169.254/latest/meta-data/. However, the attackers used SSRF vulnerabilities to bypass this restriction and access metadata, including IAM credentials stored on the vulnerable EC2 instances. The campaign escalated from March 15 to 25, with the attackers rotating query parameters and subpaths to systematically exfiltrate sensitive data.
F5 Labs’ report also highlighted broader exploitation activity, documenting vulnerabilities actively targeted during March 2025. Among these were CVE-2017-9841, CVE-2020-8958, CVE-2023-1389, and CVE-2019-9082. The exploitation of older vulnerabilities remained a significant trend, with nearly 40% of the targeted CVEs being more than four years old. To prevent such attacks, experts recommend applying security updates, securing router and IoT configurations, and replacing outdated networking equipment.
