Cloud Security Company Wiz has revealed that it has highlighted exploitation along with a safety defect in Linux utility Pandok As part of the attacks designed to infiltrate the Amazon Web Services (AWS) Metadata Service (IMDS).
There is vulnerability in question Cve-2025-51591 (CVSS Score: 6.5), which refers to a case of server-side request forgery (SSRF) that allows the attackers to compromise a target system by injecting the specially designed HTML IFRAME elements.
The EC2 IMDS AWS is an important component of the cloud environment, providing information about ongoing examples, as well as temporary, short -term credentials if an identity and access management (IAM) role is associated with examples. Example Matadetta is accessible through a link-local address (169.254.169) for any application running on an EC2 instance.[.]254).
These credentials can then be used to interact safely with other AWS services such as S3, RDS, or dynamodbi, allowing applications to certify without the need to store credentials on the machine, which reduces the risk of casual risk.
One of the general methods that can use to steal the attacker IMDS from IMDS to steal credentials, through SSRF defects in web applications. This involves tricking the app on the EC2 example to send a request to the IAM credentials demanding IAM credentials from the IMDS service.
“If the application can reach the IMDS end and is susceptible to the SSRF, the attacker can harvest temporary credibility without the need for any direct host reach (eg RCE or Path Traversal),” said Hila Ramati and Gili Tikochinski said.
An opponent in search of targeting AWS infrastructure, therefore an opponent can find SSRF weaknesses in web applications running on EC2 examples and when found, the example should reach the metadata and steal the iam credentials. This is not a theoretical threat.
In early 2022, Google-owned Mandient found that a danger actor as UnC2903 attacked the AWS atmosphere by misusing the credentials received using IMDS since July 2021, an SSRF defect (CVE-2021-21311, CVSS score: 7.2), exploiting a open-hand Datbase tool.
The issue, at its core, stems from the fact that IMDS, or more especially IMDSV1, is a request and response protocol, which makes an attractive goal for bad actors that target exploiting web applications that also run IMDSV1.
In a report published last month, Rescurity warned that when SSRF is exploited against Cloud Infrastructure like AWS, it could have “serious and far -reaching” results, resulting in unauthorized access to cloud credentials, networks and internal services.
“Since the SSRF is generated from within the server, this circumference can reach the concluding points protected by the firewall. It effectively converts the weaker application into a proxy, allowing the attacker to: Bypass IP Whttist [and] Otherwise reach unattainable internal assets, “said this.
The latest findings of WIZ show that the target attacks continue to target the IMDS service, with adversities to take advantage of SSRF weaknesses in low-objective applications such as Pandoc.
“Vulnerability, tracked as cve-2025-51591, pandoke rendering in HTML documents