Critical Atlassian Confluence RCE Flaw Under Active Exploitation

January 22, 2024

Security experts have noticed hackers actively exploiting a critical remote code execution vulnerability, CVE-2023-22527, affecting outdated versions of Atlassian Confluence servers. This flaw was disclosed by Atlassian last week and it affects only those Confluence versions that were released before December 5, 2023, as well as some unsupported versions. The vulnerability is of critical severity and is characterized as a template injection weakness that allows unauthenticated remote attackers to execute code on susceptible Confluence Data Center and Confluence Server endpoints. The versions impacted include 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.

A solution is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later versions. The Shadowserver Foundation, a threat monitoring service, reported today that its systems detected thousands of attempts to exploit CVE-2023-22527, with the attacks originating from slightly over 600 distinct IP addresses. The attackers are reportedly testing callbacks by executing the 'whoami' command to gather data about the level of access and privileges on the system. The Shadowserver Foundation has logged over 39,000 exploitation attempts, with most of the attacks coming from Russian IP addresses.

According to Shadowserver, its scanners currently identify 11,100 Atlassian Confluence instances that are accessible over the public internet. However, not all of these necessarily run a vulnerable version. Atlassian Confluence vulnerabilities are frequently exploited by various types of attackers, including sophisticated state-sponsored threat actors and opportunistic ransomware groups. Concerning CVE-2023-22527, Atlassian has previously stated that it was unable to provide specific indicators of compromise (IoCs) that would assist in detecting cases of exploitation.

Administrators of Confluence servers should ensure that the endpoints they manage have been updated to a version released after December 5, 2023. For organizations with outdated Confluence instances, the recommendation is to treat them as potentially compromised, look for signs of exploitation, perform a comprehensive cleanup, and update to a secure version.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.