Multiple cybersecurity organizations have observed exploitation attempts against a critical Atlassian Confluence vulnerability that was disclosed and patched last week.
In a security advisory published on Jan. 16, Atlassian detailed a remote code execution (RCE) vulnerability tracked as CVE-2023-22527 that received the highest possible CVSS score of 10 out of 10. The flaw affects Atlassian Confluence Data Center and Confluence Server versions between 8.0.x and 8.5.3.
In last week's security advisory, Atlassian warned users to patch CVE-2023-22527 "immediately." Exploitation could allow an unauthenticated attacker to achieve RCE on an affected instance.
This week, several cybersecurity organizations reported scans and exploitation attempts for the critical template injection vulnerability. The Shadowserver Foundation observed the earliest exploitation attempts beginning on Jan. 19, just three days after disclosure. As of Monday, scans conducted by the cybersecurity nonprofit organization revealed that more than 11,000 vulnerable instances remained. A majority of the scanning activity came from Europe, North America and Asia.
"Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution)," Shadowserver wrote on Mastodon and X, formerly known as Twitter. "If you have exposed Atlassian Confluence instances make sure they are up to date (and if not check for signs of compromise!)."
We are seeing Atlassian Confluence CVE-2023-22527 pre-auth template injection RCE attempts since 2024-01-19. Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution). Vulnerability affects out of date versions of Confluence: https://t.co/HFkPWIzJ1S pic.twitter.com/JPnsf3NFs2— Shadowserver (@Shadowserver) January 22, 2024
Threat intelligence vendor GreyNoise detected malicious activity beginning on Monday that increased the following day. As of Tuesday, GreyNoise observed 37 malicious IP addresses attempting to exploit CVE-2023-22527. Geographic locations of those addresses were similar to Shadowserver's findings, with 11 IP addresses originating in Hong Kong and eight in the U.S.
Caitlin Condon, director of vulnerability intelligence at Rapid7, confirmed that the security vendor also observed exploitation attempts for CVE-2023-22527. However, the activity has been ineffective so far.
"Our honeypot network has picked up exploit attempts, and we've seen at least one unsuccessful attempt against a production environment as well," Condon said in an email to TechTarget Editorial.
Exploitation activity 'exploded'
SANS Technology Institute's Internet Storm Center also detected initial exploitation activity on Monday. A blog post by Johannes Ullrich, dean of research at SANS Technology Institute, revealed that exploitation attempts against the center's honeypots had increased following the release of a proof-of-concept exploit. Ullrich urged users to patch the flaw immediately and "assume compromise" on unpatched systems.
Ullrich published an update on Tuesday stating that exploitation activity on vulnerable servers had "exploded" since Monday's blog post. Based on indicators of compromise and the types of malware being deployed on the honeypots, Ullrich said to "expect news articles next week that Iran is exploiting this against government systems."
However, the attack scope could be lower because the vulnerability does not affect Atlassian Cloud sites.
"It is questionable how many high-value targets are vulnerable. Most organizations have migrated to the Atlassian cloud offerings and do not host tools like Confluence on premises," Ullrich wrote.
TechTarget Editorial contacted Atlassian for any updates since last week's advisory. The vendor declined to expand on exploitation activity, but said the issue was corrected in a previous release, referred to the advisory and emphasized the urgency to patch.
"We have taken swift action since discovering the vulnerability to ensure the safety of our customers and their data," Atlassian said in an email. "This vulnerability is ripe for opportunistic threat actors, and our focus remains on supporting our customers to take timely action to protect their data. Atlassian can't confirm if a customer instance has been affected by this vulnerability. Customers should engage their local security team to check all affected Confluence instances for evidence of compromise."
The exploitation activity against CVE-2023-22527 marks another round of attacks on Atlassian's Confluence Data Center and Confluence Server, which have become popular targets for threat actors. Two months ago, those products suffered widespread attacks connected to a separate vulnerability, CVE-2023-22518. And in October, another Atlassian Confluence zero-day vulnerability, tracked as CVE-2023-22515, also fell under attack.
Arielle Waldman is a Boston-based reporter covering enterprise security news.