Exploitation of Critical Confluence Vulnerability Begins


The first in-the-wild exploitation attempts targeting a recent vulnerability in Atlassian Confluence Data Center and Confluence Server were observed over the weekend, threat intelligence firm GreyNoise warns.

Patched a week ago, the critical security defect tracked as CVE-2023-22518 (CVSS score of 9.1) is an improper authorization flaw that could lead to “significant data loss”, Atlassian warned. The issue impacts all Confluence versions.

Less than five days after releasing the patch, Atlassian issued a second warning, informing customers that “critical information about the vulnerability” had been made public, and that the risk of exploitation had increased significantly.

The enterprise software maker issued the fresh alert on the same day that ProjectDiscovery published technical information on the flaw, along with details on potential exploitation methods.

On Friday, Atlassian updated its initial advisory again, to warn that the vulnerability is under active exploitation.

“We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required,” the company’s updated advisory reads.

Over the weekend, GreyNoise’s scanners caught in-the-wild exploitation of CVE-2023-22518 targeting organizations in the US, Taiwan, Ukraine, Georgia, Latvia, and Moldova.

Attacks were originating from three different IP addresses, GreyNoise CEO and founder Andrew Morris pointed out on Sunday.

Advertisement. Scroll to continue reading.

While the issue cannot be exploited to exfiltrate data from vulnerable Confluence servers, it could be used to replace the state of an instance to attacker-supplied data, without authentication.

Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1 were released last week to address CVE-2023-22518. All users are advised to update their instances as soon as possible or at least create backups and block internet access to vulnerable instances until patches are applied.

Related: US Gov Expects Widespread Exploitation of Atlassian Confluence Vulnerability

Related: Microsoft Blames Nation-State Threat Actor for Confluence Zero-Day Attacks

Related: Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo





Source link