A newly uncovered cyber campaign has exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 to steal sensitive EC2 metadata and IAM credentials.
Researchers at F5 Labs, who discovered the campaign, report that the attacks escalated between March 13 and 25, 2025, likely orchestrated by a single threat actor.
SSRF vulnerabilities allow attackers to manipulate servers into making internal HTTP requests. In this case, the attackers used SSRF flaws to access the EC2 Instance Metadata Service (IMDSv1), an outdated version of AWS’s metadata service that exposes IAM credentials without requiring authentication. With these credentials, the attackers could access S3 buckets or other AWS services, risking data exposure, manipulation, and disruption.
The malicious actors targeted vulnerable EC2 instances using IP addresses traced to FBW Networks SAS in France and Romania. They employed a systematic approach, rotating multiple query parameter names and metadata paths to extract valuable data. Their efforts exploited the lack of protections in IMDSv1, which has since been replaced by IMDSv2 — a more secure version requiring session tokens.
This campaign was highlighted in F5 Labs’ March 2025 threat trends report, which also revealed a continued focus on legacy vulnerabilities. The top four most exploited CVEs last month included flaws dating back as far as 2017, with over 69,000 attempts recorded for just one of them (CVE-2017-9841 in PHPUnit).
F5 Labs recommends that organizations using AWS immediately migrate to IMDSv2, regularly apply security updates, harden web app configurations, and replace unsupported devices to defend against similar exploitation attempts.
