Threat actors are targeting a year-old server-side request forgery (SSRF) vulnerability in a third-party ChatGPT tool, mainly against financial entities and US government organizations, cybersecurity firm Veriti reports.
The affected tool is called ChatGPT, but it’s not made by OpenAI. Instead, it’s an open source tool created by a Chinese developer, designed to provide an interface for interacting with the ChatGPT gen-AI service.
The bug, tracked as CVE-2024-27564, is a medium-severity issue affecting the pictureproxy.php file. It allows attackers to inject crafted URLs in the url parameter and force the application to make arbitrary requests.
Reported in September 2023 and publicly disclosed one year ago, the flaw can be exploited without authentication, and has had proof-of-concept (PoC) exploit code available publicly for some time.
According to Veriti, at least one threat actor has added an exploit for CVE-2024-27564 to its arsenal, and has started probing the internet for vulnerable applications.
Within a single week, the cybersecurity firm observed over 10,000 attack attempts coming from a single IP address. Roughly one-third of the targeted organizations are potentially at risk of exploitation due to misconfigurations in their protection solutions, Veriti warns.
Most of the attacks were targeting organizations in the US, mainly in the government and financial sector. Financial and healthcare firms in Germany, Thailand, Indonesia, Colombia, and the UK were targeted as well.
“Banks and fintech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF attacks that access internal resources or steal sensitive data,” Veriti notes.
Although a medium-severity issue, CVE-2024-27564 has become a real-world attack vector and organizations should address it as soon as possible. They should also check their intrusion prevention systems and firewalls for any misconfigurations and monitor logs for known attacker IP addresses.
“Ignoring medium-severity vulnerabilities is a costly mistake, particularly for high-value financial organizations,” Veriti says.
*updated to clarify that the ChatGPT tool impacted by CVE-2024-27564 is not in any way related to ChatGPT developer OpenAI.
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
Related: Unpatched Edimax Camera Flaw Exploited Since at Least May 2024
Related: Newly Patched Windows Zero-Day Exploited for Two Years
Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks
