Critical ChatGPT Vulnerability Actively Exploited, Posing Major Risks to Organizations

​A recently discovered vulnerability in OpenAI's ChatGPT, identified as CVE-2024-27564, has been actively exploited by cyber attackers, placing numerous organizations at significant risk. This server-side request forgery (SSRF) flaw allows malicious actors to inject crafted URLs into ChatGPT's input parameters, compelling the application to make unintended requests on their behalf. 

Within a single week, over 10,000 attack attempts originating from a single IP address were recorded, underscoring the severity of this threat. Approximately 33% of these attacks targeted organizations in the United States, with Germany and Thailand each experiencing 7% of the attempts. The financial sector has been particularly affected, given its reliance on AI-driven services and API integrations, making it vulnerable to SSRF attacks that can access internal resources or exfiltrate sensitive data. ​

Alarmingly, 35% of analyzed organizations remain unprotected due to misconfigurations in their intrusion prevention systems (IPS), web application firewalls (WAFs), and traditional firewall settings. This oversight leaves them susceptible to unauthorized transactions, regulatory penalties, and significant reputational harm.

To mitigate this vulnerability, experts recommend that organizations promptly review and correct their IPS, WAF, and firewall configurations to ensure they are safeguarded against CVE-2024-27564. Implementing strict input validation to prevent malicious URL injections and monitoring logs for attack attempts from known malicious IP addresses are also advised. Additionally, conducting thorough risk assessments to identify and address AI-related security gaps is crucial.