In a troubling new trend, cybercriminals have launched a campaign aimed at stealing sensitive AWS EC2 Instance Metadata by exploiting vulnerabilities known as server-side request forgery (SSRF) in cloud-hosted websites. According to findings from F5 Labs, these attacks predominantly targeted the older Instance Metadata Service version 1 (IMDSv1), which lacks the enhanced security features of its successor.
During a rapid series of attempts observed in March 2025, the threat actors sought to take advantage of mistakenly exposed EC2 Instance Metadata, garnering data points like IP address, instance ID, and security credentials. Researchers at F5 noted a noticeable spike in activity over a four-day period where several identified IP addresses belonging to the ASN:34534, registered to FBW NETWORKS SAS, were used to orchestrate the campaign.
The exploitation technique hinges on two key vulnerabilities: CWE-200, which concerns the unauthorized disclosure of sensitive information, and CWE-918, which pertains to SSRF. F5 Labs researchers emphasized that users relying on the outdated IMDSv1 are particularly susceptible, as it provides metadata access through a special internet endpoint without the need for authentication.
To effectively combat these vulnerabilities, F5 recommends migrating to IMDSv2, which establishes stricter security protocols requiring a session token for accessing instance metadata. Additionally, applying web application firewall (WAF) rules can help mitigate risks by blocking requests from flagged IP addresses attempting to exploit SSRF vulnerabilities. Going forward, enhancing cloud security measures is imperative as cybercriminal tactics continue to evolve, putting sensitive data at risk.