January 23, 2024 at 05:06AM
Malicious actors are actively exploiting a critical security flaw in Atlassian Confluence Data Center and Server (CVE-2023-22527), allowing remote code execution on susceptible installations. Over 40,000 exploitation attempts and testing callback efforts have been recorded, with most originating from Russia. More than 11,000 Atlassian instances are accessible online, but the vulnerability’s full impact is unknown.
From the provided meeting notes, the key takeaways are:
– A critical security flaw, tracked as CVE-2023-22527 with a CVSS score of 10.0, impacts out-of-date versions of Atlassian Confluence Data Center and Confluence Server 8 released before December 5, 2023, as well as 8.4.5.
– Malicious actors have been actively exploiting the vulnerability, with nearly 40,000 exploitation attempts recorded from more than 600 unique IP addresses, primarily from Russia, Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.
– The exploitation attempts involve “testing callback attempts and ‘whoami’ execution,” indicating that threat actors are scanning for vulnerable servers for follow-on exploitation.
– Over 11,000 Atlassian instances were found to be accessible over the internet as of January 21, 2024, although the vulnerability status of these instances is not clear.
– The CVE-2023-22527 vulnerability allows unauthenticated attackers to inject OGNL expressions into the Confluence instance, enabling the execution of arbitrary code and system commands.
It is advisable to take immediate action to address this vulnerability and secure the vulnerable Atlassian instances to prevent further exploitation.