Hackers Target AWS IMDS And EC2 To Steal Credentials: Wiz Report
‘We uncovered exploitation in the wild of a previously unknown zero-day vulnerability in a popular web service stemming from insecure use of Pandoc,’ said Wiz researchers in a new report.
Cybersecurity star Wiz has discovered that threat actors are seeking to exploit a flaw in a Linux tool in order to infiltrate AWS Instance Metadata Service (IMDS).
“Over the years, threat actors have learned to turn IMDS into a stepping stone for credential theft, lateral movement and privilege escalation,” said Wiz researchers Gili Tikochinski and Hila Ramati in a new report.
Wiz said the security flaw is in a Linux utility called Pandoc with the vulnerability referring to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a system by implementing a specially crafted HTML iframe element.
“We uncovered exploitation in the wild of a previously unknown zero-day vulnerability in a popular web service stemming from insecure use of Pandoc,” Wiz researchers said.
“The vulnerability, tracked as CVE-2025-51591, stems from Pandoc rendering tags in HTML documents,” Wiz said. “This would allow an attacker to craft an <iframe> that points to the IMDS server, or other private resources.”
[Related: AWS Hires Two Vice Presidents To Drive Agentic AI For Agentcore And Kiro]
In one case, Wiz said the attacker submitted crafted HTML documents containing <iframe> elements whose source attributes targeted an AWS IMDS endpoint.
“The objective was to render and exfiltrate the content of sensitive paths,” Wiz said. “However, the attack was neutralized by the mandatory enforcement of IMDSv2.”
Wiz is recommending AWS customers enforce IMDSv2 (version 2) across all EC2 instances and ensure that instances are assigned roles that follow the principle of least privilege to contain the radius of an IMDS compromise.
AWS did not immediately respond to a request for comment.
AWS’ EC2 IMDS
An IMDS is a server running on every cloud compute instance that provides temporary, short-lived credentials and other data to be used by applications running on cloud compute. This allows them to securely access cloud services without needing to hardcode credentials on the machine, according to Wiz.
AWS’ EC2 IMDS offers information about running instances and temporary credentials.
The IMDS is accessible to applications running in an EC2 instance through a link-local address, according to Wiz.
If stolen, credentials can be used by threat actors to interact with other AWS services such as DynamoDB, S3 and AWS RDS.
Attackers’ Strategy
Wiz said to gain initial access to a cloud environment, hackers look for a way to “trick” an application running on an exposed compute instance into querying the IMDS and providing them with the retrieved temporary credentials.
Attackers can then move laterally and escalate privileges throughout the organization environment.
Wiz said attackers typically exploit application vulnerabilities in two ways: SSRF, or code injection and misconfigured workloads.
This discovery shows attackers are continuing to target IMDS services by using SSRF vulnerabilities in small applications like Pandoc to exploit them, the cybersecurity company said.
AWS Earnings And Global Cloud Market Share
The Seattle-based cloud giant is the largest cloud computing company on the planet with 30 percent share of the global enterprise cloud infrastructure services market as of the second quarter of 2025.
In second-quarter 2025, AWS generated $30.9 billion in total revenue, up 17 percent year over year.
The company currently has a $124 billion annual run rate.