Capital of the United States, April 11, 2025 – In a recent cybersecurity campaign, threat actors have attempted to exploit vulnerabilities in websites hosted on Amazon Web Services (AWS) to access sensitive EC2 instance metadata, including IP addresses and security credentials.
The campaign, observed by F5 Labs, focuses on exploiting Server-Side Request Forgery (SSRF) bugs within websites that utilize the older Instance Metadata Service version 1 (IMDSv1), which is susceptible to such attacks.
F5 Labs reported a surge in activity in March 2025, with a four-day period witnessing numerous attempts to compromise EC2 instance metadata through SSRF vulnerabilities. “During March 2025 we observed a four-day flurry of activity attempts to compromise EC2 Instance Metadata being inadvertently exposed by websites through Server-Side Request Forgery (SSRF),” researchers noted in a blog post.
EC2 metadata provides crucial information about a running EC2 instance, accessible through a special internet endpoint without requiring authentication. F5 researchers identified that the exploitation of these vulnerabilities involves a combination of CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-918 (Server-Side Request Forgery).
The researchers emphasized that the exposure of sensitive information is primarily due to users relying on the outdated IMDSv1 instead of the more secure IMDSv2, which mandates a session token and additional protections against SSRF attacks. “Exploitation for this campaign is a combination of CWE-200 and CWE-918,” they stated.
To mitigate these vulnerabilities, F5 researchers recommend migrating to IMDSv2, which would require attackers to supply a secret via a custom header for successful exploitation. They also suggest implementing stricter Web Application Firewall (WAF) rules to block requests from flagged IP addresses associated with the internal IP used by AWS for serving instance metadata.
The campaign began with initial reconnaissance on March 13, followed by increased activity from March 15 to March 25, with all involved IP addresses belonging to a French company, FBW NETWORKS SAS, despite their geographical locations being in France and Romania.
This incident highlights the ongoing risks associated with outdated security practices in cloud environments and underscores the importance of adopting updated security measures to safeguard sensitive information.
