Critical Atlassian Confluence RCE Flaw Under Active Exploitation

January 22, 2024

Security experts have noticed hackers actively exploiting a critical remote code execution vulnerability, CVE-2023-22527, affecting outdated versions of Atlassian Confluence servers. This flaw was disclosed by Atlassian last week and it affects only those Confluence versions that were released before December 5, 2023, as well as some unsupported versions. The vulnerability is of critical severity and is characterized as a template injection weakness that allows unauthenticated remote attackers to execute code on susceptible Confluence Data Center and Confluence Server endpoints. The versions impacted include 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.

A solution is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later versions. The Shadowserver Foundation, a threat monitoring service, reported today that its systems detected thousands of attempts to exploit CVE-2023-22527, with the attacks originating from slightly over 600 distinct IP addresses. The attackers are reportedly testing callbacks by executing the 'whoami' command to gather data about the level of access and privileges on the system. The Shadowserver Foundation has logged over 39,000 exploitation attempts, with most of the attacks coming from Russian IP addresses.

According to Shadowserver, its scanners currently identify 11,100 Atlassian Confluence instances that are accessible over the public internet. However, not all of these necessarily run a vulnerable version. Atlassian Confluence vulnerabilities are frequently exploited by various types of attackers, including sophisticated state-sponsored threat actors and opportunistic ransomware groups. Concerning CVE-2023-22527, Atlassian has previously stated that it was unable to provide specific indicators of compromise (IoCs) that would assist in detecting cases of exploitation.

Administrators of Confluence servers should ensure that the endpoints they manage have been updated to a version released after December 5, 2023. For organizations with outdated Confluence instances, the recommendation is to treat them as potentially compromised, look for signs of exploitation, perform a comprehensive cleanup, and update to a secure version.

Related News

• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions

Latest News

• CISA Issues Emergency Directive to Address Ivanti Zero-Day Vulnerabilities
• Chinese Hackers Utilized VMware Vulnerability as Zero-Day for Two Years
• Critical vCenter Server Vulnerability Now Actively Exploited
• Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA
• CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes