Confluence RCE Vulnerability Under Massive Exploitation

RCE Vulnerability in Confluence Exploited in the Wild
Experts have discovered a vulnerability with maximum CVSS that lures hackers like honey for bees.

Researchers are seeing attempts to exploit a critical vulnerability in outdated Atlassian Confluence servers. The flaw allows attackers to execute code remotely, with most attempts from Russian IP addresses. Typically for remote code execution vulnerabilities, this one received a high severity rating by CVSS scale.

RCE Vulnerability in Confluence Exploited in the Wild

According to Shadowserver, a threat monitoring service, their systems detected thousands of attempts to exploit CVE-2023-22527, which was given a maximum CVSS score of 10. The vulnerability allows attackers to achieve a remote code execution (RCE) in a low-complexity attack without authentication. These attacks came from over 600 unique IP addresses, with over 39,000 exploitation attempts recorded.

22,674 attacker IP addresses are recorded being from Russia. Among other popular locations for the attackers are Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador. The security flaw affects outdated Confluence 8 versions released before Dec. 5th, 2023, and Confluence 8.4.5, which no longer receives backported fixes. Confluence 7.19.x Long-Term Support (LTS) versions and Atlassian Cloud instances aren’t impacted.

Details of the Vulnerability

The CVE-2023-22527 vulnerability involves insecure user input included in a specifically crafted template. Using it, hackers gain the ability to execute arbitrary code remotely on the server hosting Confluence without any authentication. Attackers can manipulate templates to include malicious code, which is executed when the server processes.

In addition, successfully exploiting this vulnerability could allow an adversary to cause data destruction on the affected instance. Confidentiality has no impact, as an attacker cannot exfiltrate any instance data. However, the effect of exploitation includes gaining control over the server, accessing sensitive information, disrupting operations, or launching further attacks.

Mitigation and Recommendations

The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only). Atlassian recommends that customers install the latest version. So, if you are on an out-of-date version, you must immediately patch it. Developers insist on patching each affected installation to the newest version available.

If your organization is running an outdated Confluence instance, it is necessary to consider it potentially compromised. It is highly recommended to immediately patch and review the systems thoroughly to detect any signs of exploitation. Security experts also suggest taking additional measures such as threat hunting, log review, monitoring, and auditing for the affected systems.

In addition, we recommend using EDR and XDR solutions. Both systems offer real-time monitoring, threat intelligence integration, automated response, and behavioral analysis, providing essential security against vulnerabilities.

Confluence RCE Vulnerability Under Massive Exploitation

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *