Publishing views: 10

Pirates strike IMDS and stealing EC2 IAM credentials by exploiting Pandoc Cve-2025-51591

According to Cloud Security Wiz, discovered that the Linux app called Pandoc has a safety problem that has been exploited in this field as part of the attacks aimed at giving up the Amazon Web Services data service (AWS) (IMDS).

CVE-2015-51591 (CVSS: 6.5) is the weakness concerned. It is a state of forgery by the SSRF, which enables the attackers to bargain with a targeted system by introducing the specially created HTML IFRAME.

EC2 IMDS, an essential part of AWS Cloud environment, provides details about currently operating cases as well as short -term temporary accreditation data if the counterpart is linked to the role of identity and access management (IAM). Any application that works on an equal EC2 can access the identification data using the local correlation address (169.254.169 (.) 254.

By allowing programs to ratify without storing computer reliance data, these accreditation data can be used later to communicate safely with other AWS services such as S3, RDS or Dynamodb, which reduces the possibility of unintended detection.

SSRFs in web applications are a common way to attackers for IAM accreditation data via IMDS. In essence, this requires the application to be implemented as an EC2 to order IAM accreditation from IMDS on its behalf.

According to researchers Wiz Hila Ramati and Gili Tikochinski, “If the application can reach the IMDS end point and it is vulnerable to SSRF, the attacker can harvest temporary accreditation data without the need for any direct access to the host (such as RCE or Path Path).”

Therefore, if one of the attackers wants to target the AWS infrastructure, they can search for SSRFs in web applications that work on EC2 counterparts. Once they are found, they can access the identification data and the theft of IAM credentials. This threat is not hypothetical.

In early 2022, the Google owned by Mandriant discovered that the actor of the threat he was watching in the name UNC2903 was using the accreditation data obtained through IMDS since July 2021 to attack AWS environments. This was done by taking advantage of SSRF (CVE-2011-21311, CVSS Score: 7.2) in Adminer, open source database management tool, to enable data theft.

IMDS, or more accurate IMDSV1, is a request and response protocol, which makes it a major goal for harmful actors that target sensitive web applications that also use IMDSV1. This is the main cause of the problem.

The removal in a research issued last month cautioned that SSRF could have “severe and long -term” effects when used against cloud infrastructure such as AWS. These repercussions include network spy, stealing cloud accreditation data and illegal access to internal services.

SSRf begins inside the server, it can move to the protected end points with the surrounding protection walls. By doing this, the weak application is mainly converted into an agent, enabling the attacker to circumvent white IP (and) access to internal resources that can be accessed in another way. ”The report mentioned.

According to the latest WIZ results, the attacks on IMDS are still taking place, and the opponents use SSRf defects in mysterious applications like Pandoc to make these attacks possible.

“The weakness, which was followed as CVE-2025-51591, stems from Pandoc

The AWS IMDS ending point was 169.254.169 (.) 254 goals for the fake HTML documents for the attacker with

It is recommended to use “-f HTML+RAW_HTML” or “-SANDBOX” options to stop Pandoc from merge the contents of IFRAME elements through the SRC feature in order to reduce the risks posed by CVE-2025-51591 in cloud environments.

“Pandoc supervisors decided that IFRAMES is the intended behavior and that the user is responsible for sterilizing the input or using the sand box flags when dealing with the user’s inputs,” WIZ ed Andz.

“Although Amazon recommends the implementation of IMDSV2 with Guardduty improvements, the EC2 counterparts created by Amazon customers that are used instead may be IMDSV1 at risk when the unwanted third -party program is also combined.”

In order to reduce a radius in the event of an IMDS compromise, organizations are advised to implement IMDSV2 on all cases of EC2 and make sure that cases are custom roles that adhere to the principle of less concession (Polp).

About the author:

Yogash Naager It is a content specialist in cybersecurity and a B2B area. In addition to writing for news4haackers blogs, it also writes for brands including Craw Security, bytecode Security and Nasscom.

Read more:

Learn how strong atomic dependence stealing sneaks into MacOS APKS

About the author