On Friday, last week Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.
The attackers targeted two Internet-facing web servers that were running Atlassian Confluence Server software. Threat actors launched an exploit to achieve remote code execution, they triggered a zero-day vulnerability that impacted fully up-to-date versions of Confluence Server.
The company on Friday released security fixes to address the CVE-2022-26134 critical security flaw.
The patches fixed the issue in the following versions of the software:
IoT search engine Censys has found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.
Most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack.Census advisory
Installs are located in the U.S., China, and Germany.It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.
The CISA added the flaw to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to immediately block all internet traffic to and from the affected products and a flaw by June 6, 2022