IMDS Abused: Hunting Rare Behaviors to Uncover Exploits

This report explains how attackers exploit application-level SSRF and misconfigurations to query cloud Instance Metadata Services (IMDS) and steal temporary credentials, describes a data-driven hunting approach that uncovered an in-the-wild pandoc zero-day (CVE-2025-51591) and a ClickHouse SSRF abuse case, and provides detection and mitigation guidance such as enforcing IMDSv2, applying least-privilege roles, and using runtime sensors and security graph analysis to detect anomalous IMDS usage.