SecurityWeek reports that more than 10,000 attempted intrusions exploiting a medium-severity ChatGPT server-side request forgery vulnerability, tracked as CVE-2024-27564, have been deployed from a single IP address within a week, most of which have been targeted at U.S. government and financial entities.
Germany, Thailand, Indonesia, Colombia, and the UK also had their financial and healthcare organizations subjected to the attacks, which could facilitate arbitrary requests to ChatGPT without the need for any authentication, according to a Veriti Research study.
Moreover, misconfigured security systems have exposed almost a third of organizations to intrusions involving the flaw.
"Banks and fintech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF attacks that access internal resources or steal sensitive data," said Veriti researchers, who called on organizations to not only immediately remediate the security issue but also address intrusion prevention system and firewall misconfigurations, as well as remain mindful of known attacker IP addresses in their logs.
