Exploitation of Critical Confluence Vulnerability Begins

Exploitation of Critical Confluence Vulnerability Begins

November 6, 2023 at 07:42AM

GreyNoise has issued a warning about the first attempts to exploit a recent vulnerability in Atlassian Confluence Data Center and Confluence Server. The critical security flaw, CVE-2023-22518, could lead to significant data loss and affects all Confluence versions. Atlassian has released patches for the vulnerability, but has also warned that the risk of exploitation has increased due to the disclosure of critical information and active exploitation attempts.

Key Points from the Meeting Notes:

1. Exploitation attempts targeting Atlassian Confluence Data Center and Confluence Server vulnerability (CVE-2023-22518) were observed over the weekend.
2. The vulnerability, which was patched a week ago, is an improper authorization flaw that could result in significant data loss.
3. Atlassian issued a warning that critical information about the vulnerability had been made public, increasing the risk of exploitation.
4. ProjectDiscovery published technical information on the flaw and potential exploitation methods.
5. Atlassian updated its advisory to warn that the vulnerability is currently being actively exploited.
6. GreyNoise’s scanners detected in-the-wild exploitation of the vulnerability targeting organizations in the US, Taiwan, Ukraine, Georgia, Latvia, and Moldova.
7. The attacks originated from three different IP addresses.
8. While the vulnerability does not allow for data exfiltration, it can be used to replace the state of an instance with attacker-supplied data.
9. Specific versions of Confluence Data Center and Server were released last week to address the vulnerability.
10. All users are advised to update their instances or at least create backups and block internet access to vulnerable instances until patches are applied.
11. The US government expects widespread exploitation of the Atlassian Confluence vulnerability.
12. Microsoft attributes the zero-day attacks to a nation-state threat actor.
13. Atlassian also patched remote code execution vulnerabilities in Confluence and Bamboo.

Please let me know if you need any further information.

Full Article