Threat actors have started exploiting a recently disclosed critical flaw CVE-2023-22518 in Confluence Data Center and Confluence Server.
Atlassian, earlier warned of the CVE-2023-22518 the issue is an improper authorization issue that can lead to significant data loss if exploited by an unauthenticated attacker.
Atlassian was not aware of attacks in the wild, exploiting this vulnerability. But, the company urged customers to immediately take action to protect their installs.
The vulnerability was addressed with the release of the following versions:
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later, and
- 8.6.1 or later
Atlassian states that there is no impact on confidentiality as an attacker cannot exfiltrate any instance data. Confluence sites that are accessed via an atlassian.net domain are not impacted by this issue because are hosted by Atlassian.
Threat intelligence firm GreyNoise observed exploitation attempts for the vulnerability CVE-2023-22518.
Rapid7 researchers observed the exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment.
Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment.
Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.