3rd Party Risk Management , Breach Notification , Cybercrime

Attackers Exploiting Atlassian Confluence Software Zero-Day

Critical Privilege Escalation Bug Helps Create Admin Accounts
Attackers Exploiting Atlassian Confluence Software Zero-Day

Hackers have weaponized a zero-day in a popular workspace collaboration tool to create administrator accounts and gain unrestricted access to their on-premises instances of the software, Atlassian's Confluence Data Center and Server products, which serves millions of daily active users.

See Also: How to Build Your Cyber Recovery Playbook

The Australian tech firm said in a Wednesday security advisory that "a handful of customers" had reported that "external attackers may have exploited a previously unknown vulnerability" in Confluence Data Center and Server instances.

Tracked as CVE-2023-22515, the flaw is a critical privilege escalation vulnerability with a CVSS score of 10. The vulnerability affects only on-premises instances. Those in the cloud and versions prior to 8.0.0 accessed via an atlassian.net domain are not affected by this vulnerability.

"It's unusual though not unprecedented for a privilege escalation vulnerability to carry a critical severity rating," said cybersecurity firm Rapid7.

The firm added that the advisory suggests the flaw is likely remotely exploitable, which means it is typically associated with authentication bypass or remote code execution chain rather than solely being a privilege escalation concern. Rapid7 researchers did not rule out the possibility that the vulnerability could allow a regular user account to elevate to admin rights. "Notably, Confluence allows for new user signups with no approval, but this feature is disabled by default," Rapid7 said.

While limited information is available from Atlassian, the mitigation steps do reveal the endpoint that is affected, cybersecurity firm Tenable said. "According to the mitigation steps, blocking network access to the /setup/* endpoints will mitigate the threat of exploitation of this vulnerability, Tenable said.

Atlassian advised users to watch for the following indicators of compromise:

  • Unexpected members of the confluence-administrator group;
  • Unexpected newly created user accounts;
  • Requests to /setup/*.action in network access logs;
  • The presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

Atlassian Confluence is a popular target because of its widespread adoption. In June 2022, Atlassian published a similar advisory for CVE-2022-26134, which was another critical zero-day vulnerability affecting Confluence Server and Data Center. Multiple threat actors who appeared to be operating out of China exploited the remote code execution vulnerability (see: Unpatched Atlassian Confluence 0-Day Exploited in the Wild).

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.