A server-side request forgery (SSRF) vulnerability in OpenAI’s ChatGPT infrastructure, tracked as CVE-2024-27564, is being actively exploited by attackers to redirect users to malicious URLs, placing organizations at significant risk.

Researchers from cybersecurity firm Veriti have identified that this medium-severity flaw allows cybercriminals to inject crafted URLs into ChatGPT’s system, compelling the application to make arbitrary requests. This exploitation can lead to unauthorized access and data breaches. Notably, over 10,000 exploit attempts were recorded within a single week from a lone malicious IP address, underscoring the vulnerability’s appeal to threat actors.

The attacks have predominantly targeted financial institutions and U.S. government organizations, highlighting the critical need for robust cybersecurity measures in these sectors. Alarmingly, Veriti’s analysis revealed that 35% of examined organizations were susceptible due to misconfigurations in intrusion prevention systems, web application firewalls, and firewall settings.

SSRF vulnerabilities enable attackers to manipulate server-side applications into making unauthorized requests to internal or external systems, potentially leading to data exposure or further system compromises. In this instance, the flaw permits adversaries to direct ChatGPT to access unintended URLs, facilitating a range of malicious activities.