The U.S. CISA, the FBI, and the Multi-State Information Sharing and Analysis Center released a Cybersecurity Advisory over a recently disclosed vulnerability in Atlassian Corp.’s Confluence Data Center and Server that opens the door to malicious cyber threat actors.
The vulnerability tracked as CVE-2023-22515 has a CVSS score of 10. The vulnerability is a critical Broken Access Control vulnerability affecting versions of Atlassian Confluence Data Center and Server ranging from 8.0.0 through to 8.5.1.
An unauthenticated remote threat actors can create unauthorized Confluence administrator accounts and access Confluence instances. With the access, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is said to be triggered via a request on the unauthenticated /server-info.action endpoint.
A patch for the vulnerability was released during start of this month, but as is not usual in these cases, not all Atlassian users have applied the patch and the vulnerability is continuing to be exploited, which is why CISA, the FBI and MS-ISAC have issued the advisory. Users of Confluence Data Center and Server are urged to immediately apply the patch to their affected devices.
One group exploiting the vulnerability is believed to be Storm-0062, also known as Dark Shadow and Oro0lxy, a state hacking group linked to China’s Ministry of State Security and is known for targeting software, engineering, medical research, government, defense and tech firms in the U.S., the U.K., Australia and various European countries to collect intelligence.