Multiple cybersecurity organizations have detected exploitation attempts on a critical Atlassian Confluence vulnerability that was disclosed and addressed last week.
According to a security advisory released by Atlassian on Jan. 16, the company detailed a remote code execution (RCE) vulnerability known as CVE-2023-22527 with the highest possible CVSS score of 10 out of 10. The flaw affects Atlassian Confluence Data Center and Confluence Server versions ranging from 8.0.x to 8.5.3.
Atlassian strongly advised users to patch CVE-2023-22527 immediately, warning that exploitation might enable an unauthenticated attacker to achieve RCE on a vulnerable instance.
Following the disclosure, various cybersecurity organizations reported witnessing scans and exploitation attempts targeting the critical template injection vulnerability. The Shadowserver Foundation cited the first exploitation attempts beginning on Jan. 19, just three days after the vulnerability was made public. As of Monday, more than 11,000 vulnerable instances were identified through scans conducted by the cybersecurity organization, with the majority of scanning activity originating from Europe, North America, and Asia.
Additional reports from threat intelligence vendor GreyNoise indicated that the malicious activity began on Monday, with a subsequent increase on the following day. As of Tuesday, GreyNoise observed 37 IP addresses attempting to exploit CVE-2023-22527, with the geographic locations of those addresses aligning with Shadowserver’s findings.
Caitlin Condon, director of vulnerability intelligence at Rapid7, confirmed that the security vendor also witnessed exploitation attempts for CVE-2023-22527. Although the attempts have thus far been unsuccessful, Rapid7’s honeypot network picked up exploit activity.
The SANS Technology Institute’s Internet Storm Center also detected initial exploitation activity on Monday. Johannes Ullrich, dean of research at SANS Technology Institute, revealed that exploitation attempts against their honeypots increased following the release of a proof-of-concept exploit. Ullrich urged users to patch the flaw immediately and assume that unpatched systems might be compromised.
Moreover, Ullrich published an update on Tuesday, stating that exploitation activity on vulnerable servers had “exploded” since Monday. However, the vulnerability does not affect Atlassian Cloud sites, potentially limiting the scope of the attacks.
Atlassian has been contacted for updates on the exploitation activity since the security advisory was released. The company declined to provide additional information but emphasized the importance of patching the vulnerability as soon as possible. Atlassian highlighted the urgency of addressing the issue and supporting customers to protect their data, stating that there might be an increased risk of opportunistic threat actors taking advantage of the vulnerability.
This exploitation activity against CVE-2023-22527 is the latest in a series of attacks on Atlassian’s Confluence Data Center and Confluence Server. Most notably, these products have been targeted in widespread attacks connected to separate vulnerabilities, including CVE-2023-22518 two months ago and a zero-day vulnerability, tracked as CVE-2023-22515, in October.
As the vulnerability remains a concern for users, Atlassian has called upon customers to engage their local security teams and apply necessary checks on affected Confluence instances to protect against further compromise.
The pattern of exploitation activity on Atlassian’s Confluence products underscores the need for organizations to maintain vigilance and promptly address security vulnerabilities as they emerge.
Arielle Waldman is a Boston-based reporter covering enterprise security news.