3rd Party Risk Management , Breach Notification , Cybercrime
Attackers Exploiting Atlassian Confluence Software Zero-Day
Critical Privilege Escalation Bug Helps Create Admin AccountsHackers have weaponized a zero-day in a popular workspace collaboration tool to create administrator accounts and gain unrestricted access to their on-premises instances of the software, Atlassian's Confluence Data Center and Server products, which serves millions of daily active users.
See Also: Gartner Guide for Digital Forensics and Incident Response
The Australian tech firm said in a Wednesday security advisory that "a handful of customers" had reported that "external attackers may have exploited a previously unknown vulnerability" in Confluence Data Center and Server instances.
Tracked as CVE-2023-22515, the flaw is a critical privilege escalation vulnerability with a CVSS score of 10. The vulnerability affects only on-premises instances. Those in the cloud and versions prior to 8.0.0 accessed via an atlassian.net
domain are not affected by this vulnerability.
"It's unusual though not unprecedented for a privilege escalation vulnerability to carry a critical severity rating," said cybersecurity firm Rapid7.
The firm added that the advisory suggests the flaw is likely remotely exploitable, which means it is typically associated with authentication bypass or remote code execution chain rather than solely being a privilege escalation concern. Rapid7 researchers did not rule out the possibility that the vulnerability could allow a regular user account to elevate to admin rights. "Notably, Confluence allows for new user signups with no approval, but this feature is disabled by default," Rapid7 said.
While limited information is available from Atlassian, the mitigation steps do reveal the endpoint that is affected, cybersecurity firm Tenable said. "According to the mitigation steps, blocking network access to the /setup/*
endpoints will mitigate the threat of exploitation of this vulnerability, Tenable said.
Atlassian advised users to watch for the following indicators of compromise:
- Unexpected members of the confluence-administrator group;
- Unexpected newly created user accounts;
- Requests to
/setup/*.action
in network access logs; - The presence of
/setup/setupadministrator.action
in an exception message inatlassian-confluence-security.log
in the Confluence home directory.
Atlassian Confluence is a popular target because of its widespread adoption. In June 2022, Atlassian published a similar advisory for CVE-2022-26134, which was another critical zero-day vulnerability affecting Confluence Server and Data Center. Multiple threat actors who appeared to be operating out of China exploited the remote code execution vulnerability (see: Unpatched Atlassian Confluence 0-Day Exploited in the Wild).