Cybercriminals have launched a sophisticated campaign targeting websites hosted on Amazon Web Services (AWS) EC2 instances.
This campaign, observed in March 2025, exploits a vulnerability in EC2 Instance Metadata through Server-Side Request Forgery (SSRF), allowing attackers to access sensitive information and potentially escalate their attacks.
The Exploitation Technique
The attackers are leveraging a combination of two common weaknesses: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-918 (Server-Side Request Forgery).
.png
)
They send GET requests to websites hosted on EC2 instances, attempting to retrieve metadata from the instance’s internal IP address (169.254.169.254).
This metadata includes critical information like IAM role credentials, which can be used to gain unauthorized access to AWS resources.
The campaign’s timeline shows a brief but intense period of activity, starting on March 15, 2025, and lasting for four days.
The attackers used multiple IP addresses, all from the same Autonomous System Number (ASN) owned by FBW NETWORKS SAS, a French company.
These IPs displayed uniform behavior in their exploitation attempts, suggesting a coordinated effort by a single actor.
The exposure of EC2 Instance Metadata, particularly through IMDSv1, poses significant risks.
As AWS documentation notes, IMDSv1 data is not protected by authentication or cryptographic methods, making it vulnerable to anyone with direct access to the instance or software running on it.
This vulnerability allows attackers to potentially escalate their privileges within the AWS environment, leading to further exploitation or data breaches.
To mitigate this threat, AWS users are advised to transition from IMDSv1 to IMDSv2, which requires attackers to supply a secret token, significantly reducing the risk of SSRF-based attacks.
Additionally, implementing Web Application Firewall (WAF) rules to block requests to the metadata service IP can prevent unauthorized access.
Other Notable Vulnerabilities
While the EC2 metadata exploit is novel, March 2025 also saw significant activity around several other CVEs:
- CVE-2017-9841: A PHPUnit Remote Code Execution vulnerability, which saw a massive increase in scanning activity, highlighting the persistent threat of old vulnerabilities.
- CVE-2023-1389: A TP-Link Archer AX21 Remote Code Execution vulnerability, emphasizing the need for timely patching of network devices.
- CVE-2024-4577: A PHP-CGI argument injection vulnerability, exploited for deploying malicious software like cryptocurrency miners and Remote Access Trojans.
According to the Report, The exploitation of EC2 Instance Metadata through SSRF underscores the evolving tactics of cybercriminals to target cloud infrastructure.
Organizations must remain vigilant, ensuring their cloud configurations are secure and up-to-date.
The resurgence of interest in older vulnerabilities also serves as a reminder that patching and updating systems are critical to maintaining robust cybersecurity defenses.
As cloud services continue to grow, so too does the sophistication of attacks against them, necessitating a proactive approach to security.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 EC2 instances.){kind=link}