In late August, Atlassian released a hotfix for a Confluence Remote Code Execution (RCE) vulnerability.
The issue has ID CVE-2021-26084 and allows an unauthenticated attacker to remotely execute commands on a vulnerable server.
The issue has been reported to be dangerous for all versions of Confluence Server and Data Center.
After the patch was released, the researcher who found the vulnerability presented a detailed description of it, attaching a PoC exploit to his report.
The exploit written in PHP turned out to be easy to use and really allows executing commands on the target server. Attackers can use this to upload other malware, web shells, or launch programs to a vulnerable server.
Shortly after the publication of the report and the exploit, security experts began to report that cybercriminals and information security researchers were actively scanning the network in search of vulnerable Confluence servers. For example, experts at Bad discovered that attackers from different countries were exploiting servers to download and run PowerShell and Linux shell scripts. Thus, hackers try to install miners on servers running Windows and Linux.
While the attacks currently mostly target mining cryptocurrencies, the researchers warn that there is no reason for attackers not to exploit this vulnerability for other purposes, including more sophisticated attacks. This is also warned by the US Cyber Command, which expects that the situation will only continue to deteriorate:
Let me also remind you that the Atlassian vulnerability was included in the list of 15 most attacked Linux vulnerabilities.
