CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

IMDS impersonation

unknown
Bulletin ID: AWS-2025-021 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/10/07 01:30 PM PDT Description: AWS is aware of a potential Instance Metadata Service (IMDS) impersonation issue that would lead to customers interacting with unexpected AWS accounts. IMDS, when running on an EC2 instance, runs on a loopback network interface and vends Instance Metadata Credentials, which customers use to interact with AWS Services. These network calls never leave the EC2 instance, and customers can trust that the IMDS network interface is within the AWS data perimeter. When using AWS tools (like the AWS CLI/SDK or SSM Agent) from non-EC2 compute nodes, there is a potential for a third party-controlled IMDS to serve unexpected AWS credentials. This requires the compute node to be running on a network where the third party has a privileged network position. AWS recommends that when using AWS Tools outside of the AWS data perimeter, customers follow the installation and configuration guides (AWS CLI/SDK or SSM Agent) to ensure this issue is mitigated. We also recommend that you monitor for IMDS endpoints that may be running in your on-prem environment to proactively prevent such impersonation issues from a third party. Affected versions: IMDSv1 and IMDSv2

CSIRTS triage

What
There is a potential Instance Metadata Service (IMDS) impersonation issue.
Who is affected
Customers using non-EC2 compute nodes that interact with AWS services.
Urgency
Remediation is important as it could lead to unexpected AWS account interactions.
Action
Review network configurations to ensure IMDS is not accessible from non-EC2 nodes.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch EC2

Get an email when a new EC2 advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-021/

More from AWS Security Bulletins