Breach Notification , Critical Infrastructure Security , Cybercrime

Atlassian Vulnerability Being Exploited in the Wild

Cyber Command and CISA Issue Alerts
Atlassian Vulnerability Being Exploited in the Wild

U.S. Cyber Command and the U.S. Cybersecurity and Infrastructure Security Agency issued alerts Friday warning those using Atlassian's Confluence and Data Center products that attackers are actively exploiting the critical remote code execution vulnerability CVE-2021-26084.

See Also: Hackers Are Coming For Your Cloud-Based Applications

"Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven't already - this cannot wait until after the weekend," Cyber Command tweeted Friday morning.

Atlassian also issued an advisory on Aug. 25 indicating that multiple versions of Confluence Server and Data Center are affected, but that warning did not mention attackers exploiting the vulnerability in the wild. The company has issued an update that fixes the flaw.

The cybersecurity firm Bad Packets tweeted a warning on Sept. 1 that attackers were conducting mass scans and that malicious actors were exploiting the flaw.

Atlassian's Confluence is web-based team collaboration software developed in Australia, written in Java for managing workspaces and projects that companies can run locally on their own servers, says Heimdal Security.

Atlassian describes its Data Center product as: "a deployment option providing high availability and performance at scale for your mission critical Atlassian applications."

Cryptocurrency Mining?

Bleeping Computer reports that its analysis of examples of exploits being conducted that have been posted by Bad Packets indicates that the attackers are installing cryptominers on Windows and Linux Confluence servers.

Heimdal Security believes this usage is only the first step in how attackers will utilize this vulnerability.

"Although cybercriminals are currently exploiting this type of vulnerability for cryptocurrency mining, researchers believe it will be used for data exfiltration and ransomware attacks in the future," the company says.


Atlassian says the issue is an object-graph navigation language injection vulnerability that, when exploited, allows an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.

Atlassian rates the severity level of this vulnerability as critical and recommends immediate patching.

In its description of the vulnerability, Mitre adds that the vulnerable endpoints can be accessed by a nonadministrator user or unauthenticated user if the command "allow people to sign up to create their account" is enabled.

Atlassian notes that customers using cloud versions of the affected products and those who have updated to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0 or 7.4.11 are not affected by the vulnerability.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.