Researchers are seeing attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. The flaw allows attackers to execute code remotely, with most attempts from Russian IP addresses. Typically for remote code execution vulnerabilities, this one received a high severity rating by CVSS scale.
RCE Vulnerability in Confluence Exploited in the Wild
According to Shadowserver, a threat monitoring service, their systems detected thousands of attempts to exploit CVE-2023-22527, which was given a maximum CVSS score of 10. The vulnerability allows attackers to achieve a remote code execution (RCE) in a low-complexity attack without authentication. These attacks came from over 600 unique IP addresses, with over 39,000 exploitation attempts recorded.
We are seeing Atlassian Confluence CVE-2023-22527 pre-auth template injection RCE attempts since 2024-01-19. Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution). Vulnerability affects out of date versions of Confluence:https://t.co/HFkPWIzJ1S pic.twitter.com/JPnsf3NFs2
— Shadowserver (@Shadowserver) January 22, 2024
22,674 attacker IP addresses are recorded being from Russia. Among other popular locations for the attackers are Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador. The security flaw affects outdated Confluence 8 versions released before Dec. 5th, 2023, and Confluence 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long-Term Support (LTS) versions and Atlassian Cloud instances aren’t impacted.
Details of the Vulnerability
The CVE-2023-22527 vulnerability involves insecure user input included in a specifically crafted template. Using it, hackers gain the ability to execute arbitrary code remotely on the server hosting Confluence without any authentication. Attackers can manipulate templates to include malicious code, which is executed when the server processes.
In addition, successfully exploiting this vulnerability could allow an adversary to cause data destruction on the affected instance. Confidentiality has no impact, as an attacker cannot exfiltrate any instance data. However, the effect of exploitation includes gaining control over the server, accessing sensitive information, disrupting operations, or launching further attacks.
Mitigation and Recommendations
The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only). Atlassian recommends that customers install the latest version. So, if you are on an out-of-date version, you must immediately patch it. Developers insist on patching each affected installation to the newest version available.
If your organization is running an outdated Confluence instance, it is necessary to consider it potentially compromised. It is highly recommended to immediately patch and review the systems thoroughly to detect any signs of exploitation. Security experts also suggest taking additional measures such as threat hunting, log review, monitoring, and auditing for the affected systems.
In addition, we recommend using EDR and XDR solutions. Both systems offer real-time monitoring, threat intelligence integration, automated response, and behavioral analysis, providing essential security against vulnerabilities.