Growing attempts of malicious actors to exploit the critical Confluence vulnerability
The availability of proof of concept exploit code for the critical Confluence vulnerability CVE-2023-22518, recently disclosed by Atlassian, has prompted an escalation in cyberattackers’ attempts to exploit the vulnerability, leading to a heightened need for organisations to promptly apply the provided fix.
Cyberattackers are intensifying their efforts to exploit a critical security vulnerability in Confluence, known as CVE-2023-22518. Proof of concept (PoC) exploit code for this vulnerability, recently disclosed by Atlassian in its Confluence Data Center and Server technology, has become publicly available. This development underscores the urgency for organisations using the collaboration platform to promptly apply the company’s provided fix.
On 3 November, ShadowServer, an organisation that monitors malicious internet activity, reported at least 36 unique IP addresses attempting to exploit the Atlassian vulnerability over the past 24 hours.
Atlassian had disclosed the near-maximum severity bug, scoring 9.1 out of 10 on the CVSS scale, on 31 October. The company’s Chief Information Security Officer (CISO) warned that this vulnerability poses a significant risk of “significant data loss” if exploited.
The vulnerability, CVE-2023-22518, notably impacts customers across all versions of Atlassian Data Center and Atlassian Server, excluding those using the company’s cloud-hosted versions. Atlassian’s description of the bug characterises it as a low-complexity attack, requiring no user interaction and feasible with minimal to no special privileges. The flaw is related to improper authorisation, enabling an attacker to access privileged functionality and data within an application. Exploiting the vulnerability would allow an attacker to delete data from a Confluence instance or block access to it. However, data exfiltration is not possible, according to the analysis of security intelligence firm Field Effect.
On 2 November, Atlassian updated its 31 October vulnerability alert with a warning about the public availability of technical details regarding CVE-2023-22518. This increased the risk of exploitation, and Atlassian emphasised the need for immediate action to safeguard instances. While no active exploits have been reported, the company advised organisations unable to patch immediately to remove their Confluence instances from the internet until a patch can be applied.
The escalating exploit activity primarily involves attempts to upload files and set up or restore vulnerable internet-accessible Confluence instances. ShadowServer noted approximately 24,000 exposed Confluence instances, although not all are necessarily vulnerable. Of these, the most significant proportion, around 5,500, is in the USA. Other countries with a relatively high number of exposed Atlassian Confluence systems include China (approximately 3,000 systems), Germany (around 2,000), and Japan (about 1,400 instances).
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.