Hackers start exploiting critical Atlassian Confluence RCE flaw

Security researchers are observing exploitation attempts for the CVE-2023-22527 remote code execution flaw vulnerability that affects outdated versions of Atlassian Confluence servers.

Atlassian disclosed the security issue last week and noted that it impacts only Confluence versions released before December 5, 2023, along with some out-of-support releases.

The flaw has a critical severity score and is described as a template injection weakness that allows unauthenticated remote attackers to execute code on vulnerable Confluence Data Center and Confluence Server endpoints, versions versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.

A fix is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later versions.

Threat monitoring service Shadowserver reports today that its systems recorded thousands of attempts to exploit CVE-2023-22527, the attacks originating from a little over 600 unique IP addresses.

tweet

The service says that attackers are trying out callbacks by executing the 'whoami' command to gather information about the level of access and privileges on the system.

Malicious HTTP request
Malicious HTTP request (The DFIR Report)

The total number of exploitation attempts logged by The Shadowserver Foundation is above 39,000, most of the attacks coming from Russian IP addresses.

Shadowserver reports that its scanners currently detect 11,100 Atlassian Confluence instances accessible over the public internet. However, not all of those necessarily run a vulnerable version.

Attack surface
Over 11,000 exposed Confluence servers (ShadowServer)

Atlassian Confluence vulnerabilities are assets frequently exploited by various types of attackers, including sophisticated state-sponsored threat actors and opportunistic ransomware groups.

Regarding CVE-2023-22527, Atlassian has previously said it was unable to provide specific indicators of compromise (IoCs) that would aid in detecting cases of exploitation.

Confluence server administrators should make sure that the endpoints they manage have been updated at least to a version released after December 5, 2023.

For organizations with outdated Confluence instances, the advice is to treat them as potentially compromised, look for signs of exploitation, perform a thorough cleanup, and update to a safe version.

Related Articles:

Atlassian warns of critical RCE flaw in older Confluence versions

Hackers exploit critical RCE flaw in Bricks WordPress site builder

ScreenConnect critical bug now under attack as exploit code emerges

Joomla fixes XSS flaws that could expose sites to RCE attacks

SolarWinds fixes critical RCE bugs in access rights audit solution