Atlassian Confluence Questions Bug exploited in wild

A recently patched critical vulnerability in Atlassian Confluence is now being actively exploited in the wild, researchers are warning.

The bug tracked as CVE-2022-26138, is due to a hardcoded password in the Questions for Confluence app, which would allow attackers to gain complete access to data within the on-premises Confluence Server and Confluence Data Center platforms.

More specifically, once installed, the Questions for Confluence app will create a user account with a hard-coded password and add the account to a user group, which allows access to all nonrestricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse the Confluence instance.

Organizations are urged to patch quickly because the password was made public last week, prompting emergency action by Atlassian. Confluence is unfortunately a popular target for attackers, as evidenced by the active exploitation of the bug tracked as CVE-2022-26134 in June, used to spread ransomware.

The bug only exists when the Questions for Confluence app is enabled, and it does not impact the Confluence Cloud instance. “Uninstalling the Questions for Confluence app does not remediate this vulnerability,” according to Atlassian’s advisory last week.