Malicious actors swiftly seized upon a recently exposed critical security vulnerability affecting Atlassian Confluence Data Center and Confluence Server, launching active exploitation campaigns within a mere three days of its public disclosure.
Threat Actors Weaponizing CVE-2023-22527
Identified as CVE-2023-22527 with a maximum CVSS score of 10.0, the vulnerability poses a serious threat to out-of-date versions of the software, offering unauthenticated attackers the ability to achieve remote code execution on susceptible installations.
The flaw takes its toll on Confluence Data Center and Server 8 versions released before December 5, 2023, including version 8.4.5. Alarmingly, shortly after the vulnerability became public knowledge, security researchers noted an astonishing 40,000 exploitation attempts targeting CVE-2023-22527 in the wild. These attempts, documented as early as January 19, originated from over 600 unique IP addresses, as reported by both the Shadowserver Foundation and the DFIR Report.
The current wave of activity primarily involves “testing callback attempts and ‘whoami’ execution,” indicating that threat actors are actively scanning for vulnerable servers, potentially preparing for subsequent exploitation.
Attacks Are Coming from Russia?
A significant portion of the attacker IP addresses originates from Russia, with 22,674 instances, followed by Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.
The cybersecurity landscape has been further complicated by the revelation that over 11,000 Atlassian instances are accessible over the internet as of January 21, 2024. However, the extent to which these instances are vulnerable to CVE-2023-22527 remains uncertain.
ProjectDiscovery researchers Rahul Maini and Harsh Jaiswal provided a technical analysis of the flaw, emphasizing its critical nature. “CVE-2023-22527 is a critical vulnerability within Atlassian’s Confluence Server and Data Center,” they stated. “This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.”
The evolving situation reveals the urgency for organizations to promptly update and secure their Atlassian Confluence installations to mitigate the risk posed by this actively exploited security vulnerability.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: