Within three days of public disclosure, malicious actors have begun actively exploiting recently disclosed critical security vulnerabilities affecting Atlassian Confluence data centers and Confluence servers.
Tracked as CVE-2023-22527 (CVSS Score: 10.0), this vulnerability affects outdated software versions and could allow an unauthenticated attacker to achieve remote code execution on a vulnerable installation.
This flaw affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5.
But just days after the vulnerability became public knowledge, nearly 40,000 exploit attempts against CVE-2023-22527 were recorded as early as January 19 from more than 600 unique IP addresses, according to both parties. Shadow Server Foundation and DFIR report.
The activity is currently limited to “testing callback attempts and ‘whoami’ executions,” suggesting that threat actors are opportunistically scanning vulnerable servers for subsequent exploitation.
The majority of attacker IP addresses came from Russia (22,674), followed by Singapore, Hong Kong, the United States, China, India, Brazil, Taiwan, Japan, and Ecuador.
As of January 21, 2024, more than 11,000 Atlassian instances have been found to be accessible over the Internet, but it is unclear how many of these instances are vulnerable to CVE-2023-22527.
“CVE-2023-22527 is a critical vulnerability within Atlassian Confluence servers and data centers,” ProjectDiscovery researchers Rahul Maini and Harsh Jaiswal said in a technical analysis of the flaw.
“This vulnerability could allow an unauthenticated attacker to inject OGNL expressions into a Confluence instance, thereby executing arbitrary code and system commands.”
