Critical Zero-Day Vulnerability in Atlassian’s Confluence Software Patched Amidst Exploitation

October 4, 2023

Atlassian, the Australian software company, has urgently addressed a top-priority zero-day vulnerability found in its Confluence Data Center and Server software. This flaw had been exploited in attacks. The company stated, "Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances." The company clarified that Atlassian Cloud sites are not impacted by this vulnerability and sites accessed via an domain, hosted by Atlassian, are not vulnerable to this issue.

The vulnerability, identified as CVE-2023-22515, is a critical privilege escalation flaw affecting Confluence Data Center and Server 8.0.0 and later. It can be exploited remotely in low-complexity attacks that do not require user interaction. Atlassian has advised customers using the vulnerable versions of Confluence Data Center and Server to upgrade their instances to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later) as soon as possible.

In addition to upgrading and implementing mitigation measures, Atlassian also encourages customers to disconnect impacted instances or isolate them from Internet access if immediate patching isn't feasible. Administrators can limit known attack vectors connected with this vulnerability by restricting access to the /setup/* endpoints on Confluence instances. "Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously," Atlassian added.

Following the patch release, there is an increased risk that threat actors might analyze the security patches to identify the patched vulnerability, potentially accelerating the development of a usable exploit. The company also advises checking all Confluence instances for indicators of compromise. Securing Confluence servers promptly is vital, given their past attractiveness to malicious actors, with previous incidents involving AvosLocker and Cerber2021 ransomware, Linux botnet malware, and crypto miners emphasizing the urgency.

Last year, CISA ordered federal agencies to patch another critical Confluence vulnerability (CVE-2022-26138) that was exploited in the wild, based on previous alerts from cybersecurity firm Rapid7 and threat intelligence company GreyNoise.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.