~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure.

Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations.

The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5.

But merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses, according to both the Shadowserver Foundation and the DFIR Report.

The activity is currently limited “testing callback attempts and ‘whoami’ execution,” suggesting that threat actors are opportunistically scanning for vulnerable servers for follow-on exploitation.

A majority of the attacker IP addresses are from Russia (22,674), followed by Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.

Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it’s currently not known how many of them are vulnerable to CVE-2023-22527.

“CVE-2023-22527 is a critical vulnerability within Atlassian’s Confluence Server and Data Center,” ProjectDiscovery researchers Rahul Maini and Harsh Jaiswal said in a technical analysis of the flaw.

“This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.