Wiz has disclosed that attackers are actively exploiting CVE-2025-51591, an SSRF flaw in the Linux utility Pandoc, to target AWS Instance Metadata Service (IMDS). The vulnerability allows attackers to abuse iframe rendering to extract IAM credentials from IMDSv1, potentially enabling access to AWS services like S3, RDS, and DynamoDB.
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic has this to say:
“What we have seen from the most recent breaches is that attackers keep finding ways to compromise account access. Token hijacking, credential stuffing, phishing, and now iframe rendering to extract valid IAM credentials. The conclusion we can draw is that the week link in the defenses remains the Authentication Layer. Given the likelihood of a successful compromise at the AuthN layer the next line of defense is the Authorization Layer. If an intruder gains access but is blocked from exploiting the compromised account, escalating privileges, or moving east to west then the attack is thwarted at the second wall. Security is strongest when it is layered. A robust, comprehensive, and real-time observability platform focused on identity data at the core of all Authorization decisions is critical to detect, obstruct, and remediate attacks that get past the Authentication layer. The screen door has been proven vulnerable, this mandate a steal door backing it up to protect the enterprise.”
There are prevention tips that are in the Wiz article. They are worth implementing if you are affected by this.
Like this:
Like Loading...
Related
This entry was posted on September 24, 2025 at 2:45 pm and is filed under Commentary with tags Wiz. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers Exploit Pandoc CVE to Steal EC2 IAM Credentials
Wiz has disclosed that attackers are actively exploiting CVE-2025-51591, an SSRF flaw in the Linux utility Pandoc, to target AWS Instance Metadata Service (IMDS). The vulnerability allows attackers to abuse iframe rendering to extract IAM credentials from IMDSv1, potentially enabling access to AWS services like S3, RDS, and DynamoDB.
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic has this to say:
“What we have seen from the most recent breaches is that attackers keep finding ways to compromise account access. Token hijacking, credential stuffing, phishing, and now iframe rendering to extract valid IAM credentials. The conclusion we can draw is that the week link in the defenses remains the Authentication Layer. Given the likelihood of a successful compromise at the AuthN layer the next line of defense is the Authorization Layer. If an intruder gains access but is blocked from exploiting the compromised account, escalating privileges, or moving east to west then the attack is thwarted at the second wall. Security is strongest when it is layered. A robust, comprehensive, and real-time observability platform focused on identity data at the core of all Authorization decisions is critical to detect, obstruct, and remediate attacks that get past the Authentication layer. The screen door has been proven vulnerable, this mandate a steal door backing it up to protect the enterprise.”
There are prevention tips that are in the Wiz article. They are worth implementing if you are affected by this.
Share this:
Like this:
Related
This entry was posted on September 24, 2025 at 2:45 pm and is filed under Commentary with tags Wiz. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.