Hackers exploit ChatGPT vulnerability to target U.S. government and financial firms

Just a year after OpenAI’s internal AI secrets were stolen in a data breach, hackers are now exploiting a year-old security flaw in ChatGPT. According to a report from Security Week, the vulnerability is being used to target financial institutions and U.S. government organizations.

Cybersecurity firm Veriti has flagged a surge in attacks, warning that cybercriminals are scanning the internet for weak points.

The vulnerability, CVE-2024-27564, is tied to a flaw in the pictureproxy.php file. It lets attackers manipulate the url parameter, forcing the system to make unauthorized requests. The biggest concern? It doesn’t require authentication—meaning bad actors can exploit it without needing credentials.

“Hackers exploited an SSRF vulnerability in ChatGPT’s pictureproxy.php file, enabling unauthorized requests. There were over 10,000 attacks from one IP focused on the US government and financial institutions in a week, Security Week reported.

A Known Weakness, Now a Real Threat

This issue was first reported in September 2023 and publicly disclosed a year ago. Since then, proof-of-concept (PoC) exploit code has been widely available, giving hackers a ready-made tool to go after unpatched systems.

At least one threat actor has already added this exploit to its arsenal and is scanning the internet for vulnerable applications. In just one week, Veriti recorded over 10,000 attack attempts from a single IP address. The firm warns that one in three targeted organizations could be at serious risk due to security misconfigurations.

Who’s Being Targeted?

The primary targets are U.S. government agencies and financial institutions, but it’s not just a domestic issue. Banks and healthcare firms in Germany, Thailand, Indonesia, Colombia, and the UK are also in the crosshairs.

“Banks and fintech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF attacks that access internal resources or steal sensitive data,” Veriti notes.

Why This Matters

While this is considered a medium-severity vulnerability, hackers are treating it as an open door. Attackers don’t always need the biggest, flashiest exploit—they just need one overlooked weakness to gain access.

Organizations should patch affected systems immediately, review firewall and security settings, and monitor logs for suspicious activity.

Veriti puts it bluntly: “Ignoring medium-severity vulnerabilities is a costly mistake, particularly for high-value financial organizations.”

The Bigger Picture

Cybercriminals don’t need new vulnerabilities when old ones are still sitting unpatched. This latest wave of attacks is a wake-up call for companies relying on AI-driven services. Security needs to be proactive, not reactive—because hackers aren’t waiting.