• Environment

    Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials

    AnyFans Posted on

    Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials

    Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
    The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element.
    The EC2 IMDS is a crucial component of the AWS cloud environment, offering information about running instances, as well as temporary, short-lived credentials if an identity and access management (IAM) role is associated with the instance. The instance metadata is accessible to any application running on an EC2 instance via a link-local address (169.254.169[.]254).
    These credentials can then be used to securely interact with other AWS services like S3, RDS, or DynamoDB, permitting applications to authenticate without the need for storing credentials on the machine, thereby reducing the risk of accidental exposure.
    One of the common methods that attackers can use to steal IAM credentials from IMDS is via SSRF flaws in web applications. This essentially involves tricking the app running on an EC2 instance to send a request seeking IAM credentials from the IMDS service on its behalf.
    “If the application can reach the IMDS endpoint and is susceptible to SSRF, the attacker can harvest temporary credentials without needing any direct host access (such as RCE or path traversal),” Wiz researchers Hila Ramati and Gili Tikochinski said.
    An adversary looking to target AWS infrastructure can therefore search for SSRF vulnerabilities in web applications running on EC2 instances and, when found, access the instance metadata and steal IAM credentials. This is not a theoretical threat.
    As far back as early 2022, Google-owned Mandiant found that a threat actor it tracks as UNC2903 had attacked AWS environments by abusing credentials obtained using IMDS since July 2021, exploiting an SSRF flaw (CVE-2021-21311, CVSS score: 7.2) in Adminer, an open-source database management tool, to facilitate data theft.
    The issue, at its core, stems from the fact that IMDS, or more specifically IMDSv1, is a request and response protocol, making it an attractive target for bad actors who target exploitable web applications that also run IMDSv1.
    In a report published last month, Resecurity warned that when SSRF is exploited against cloud infrastructure like AWS, it can have “severe and far-reaching” consequences, resulting in cloud credential theft, network reconnaissance, and unauthorized access to internal services.
    “Since SSRF originates from within the server, it can reach endpoints protected by perimeter firewalls. This effectively turns the vulnerable application into a proxy, allowing the attacker to: Bypass IP whitelists [and] reach otherwise unreachable internal assets,” it said.
    The latest findings from Wiz demonstrate that attacks targeting the IMDS service are continuing to take place, with adversaries leveraging SSRF vulnerabilities in little-known applications like Pandoc to enable them.
    “The vulnerability, tracked as CVE-2025-51591, stems from Pandoc rendering tags in HTML documents,” Wiz researchers said. “This would allow an attacker to craft an