Table of Contents
Buggy websites hosted on EC2 instances can allow attackers to send unauthorized access requests for exposed EC2 instance metadata.
In a new campaign, threat actors have been trying to access EC2 Instance Metadata, which consists of sensitive virtual server information like IP address, instance ID, and security credentials by exploiting server-side request forgery (SSRF) bugs in websites hosted on AWS.
According to observations made by F5 Labs, threat actors exploited Instance Metadata Service version 1 (IMDSv1), an older version of the service that enforces EC2 Instances Metadata, which is vulnerable to SSRF attacks.
“During March 2025 we observed a four-day flurry of activity attempts to compromise EC2 Instance Metadata being inadvertently exposed by websites through Server-Side Request Forgery (SSRF),” F5 Labs researchers said in a blog post.
EC2 metadata is information about a running EC2 instance that is available through a special internet endpoint, like IMDSv1, without authentication or external API calls for use by applications running on the instances.
Exploitation combines two weaknesses
“Exploitation for this campaign is a combination of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and CWE-918: Server-Side Request Forgery (SSRF),” the researchers said.
Exposure of sensitive information stems from users relying on an outdated IMDS, version 1, instead of its successor, IMDSv2 which requires a session token and additional protections, protecting against SSRF attacks.
SSRF is a type of web security vulnerability that allows an attacker to make a server send requests to other internal or external systems to access resources that aren’t directly exposed to the internet.
In this particular case, F5 researchers found SSRF bugs in the form of a functionality intentionally or unintentionally exposed in a website — hosted on an EC2 instance — for retrieving content over HTTP.
“In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post,” an AWS spokesperson said. “SSRF vulnerabilities allow attackers to make unauthorized requests from web applications. Since these requests come from the application itself, they can be used to access internal resources that the application has access to but that were not intended to be accessible to outsiders. That can include the credentials associated with an EC2 Role stored in the Instance Metadata Service (IMDS).”
Stricter WAF and switching to IMDSv2 can help
The first and foremost remediation F5 researchers said users should apply is migrating to IMDSv2 from IMDSv1. Post-migration, an attacker would be required to supply a secret via a custom header (X-aws-ec2-metadata-token) for successful exploitation.
“This fully mitigates exposure of EC2 Metadata via SSRF as SSRF vulnerabilities do not generally expose the ability to specify headers, and an attacker would need to determine the secret in addition,” the researchers added.
Additionally, users are advised to consider applying WAF rules, at the concerned endpoint, to disallow requests from flagged IP addresses or the ones with “169.254.169.254” which is the internal IP used by AWS (as well as Azure and Google Cloud) to serve Instance Metadata to EC2 instances.
Threat actors conducted initial reconnaissance on March 13 from IP 193.41.206.72, researchers added. The main campaign began two days later from IP 193.41.206.189, cycling through multiple IPs within the same ASN over six days, before tapering off and ending by March 25. “All IP addresses in the campaign belong to the ASN:34534. This ASN is owned by a French company ”FBW NETWORKS SAS“, even though geographically the IPs are based in both France and Romania.”
