On October 31, 2023 [4], Atlassian released patches and an advisory for CVE-2023-22518 [4], an improper authorization vulnerability affecting all versions of Atlassian Confluence Data Center and Server. This vulnerability has a CVSS score of 9.1 and poses significant risks to organizations.


On November 3, 2023 [4], Atlassian reported that the vulnerability is actively being exploited in the wild, with confirmation of active exploitation by Huntress. Rapid7 has also observed exploitation of the vulnerability in multiple customer environments [2]. The attacks suggest mass exploitation of vulnerable internet-facing Atlassian Confluence servers [2]. The attackers used a process execution chain, executing Base64 commands to spawn follow-on commands via python2 or python3 [2]. Post-exploitation command execution was observed [2], leading to the deployment of Cerber ransomware on the exploited Confluence server [2]. As a result, Atlassian updated its security advisory [2], raising the CVSS score of CVE-2023-22518 to 10.0 due to the change in the scope of the attack [2].

Customers are urged to update to the latest version of the product as soon as possible [2]. It is estimated that there are over 24,000 Confluence servers currently online [2], but it is unclear how many are still using vulnerable software versions [2]. The vulnerability could potentially allow attackers to wipe data in affected Confluence environments [2], but not exfiltrate it [2]. These attacks install ransomware and pose a risk of significant data loss [1]. The exploitation of this authentication bypass vulnerability has been widespread [1], with attacking IPs primarily originating from Ukraine [1]. Between 12 am and 8 am on Sunday UTC [1], three different IP addresses were observed exploiting the vulnerability [1]. Although these attacks have since stopped [1], it is suspected that the exploits are ongoing [1].


The impact of this vulnerability is significant, with active exploitation and the potential for data loss. Atlassian has provided patches and an advisory [4], urging customers to update their software. However, it is crucial for organizations to prioritize timely remediation to reduce their exposure to cyberattacks [3]. The Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats [3]. While BOD 22-01 only applies to FCEB agencies [3], CISA strongly urges all organizations to prioritize timely remediation of Catalog vulnerabilities [3]. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria [3].


[1] https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/
[2] https://www.infosecurity-magazine.com/news/critical-atlassian-bug-ransomware/
[3] https://www.cisa.gov/news-events/alerts/2023/11/07/cisa-adds-one-known-exploited-vulnerability-catalog
[4] https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment