SecurityWeek reports that more than 10,000 attempted intrusions exploiting a medium-severity ChatGPT server-side request forgery (SSRF) vulnerability, tracked as CVE-2024-27564, have been deployed from a single IP address within a week, most of which have been targeted at U.S. government and financial entities.
Germany, Thailand, Indonesia, Colombia, and the UK also had their financial and healthcare organizations subjected to the attacks, which could facilitate arbitrary requests to ChatGPT without the need for any authentication, according to a Veriti Research study.
"Banks and fintech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF attacks that access internal resources or steal sensitive data," said the Veriti study.
The researchers called on organizations to immediately remediate the security issue, and also address intrusion prevention system and firewall misconfigurations, as well as remain mindful of known attacker IP addresses in their logs.
