Connect with us

Hi, what are you looking for?



Atlassian Patches Confluence Zero-Day as Exploitation Attempts Surge

Atlassian informed customers on Friday that it has released patches for the critical Confluence Server vulnerability that has been exploited in attacks. The announcement came just before cybersecurity organizations warned that exploitation attempts have spiked.

Atlassian informed customers on Friday that it has released patches for the critical Confluence Server vulnerability that has been exploited in attacks. The announcement came just before cybersecurity organizations warned that exploitation attempts have spiked.

Volexity informed Atlassian on May 31 that its employees had become aware of a Confluence Server zero-day vulnerability following an incident response investigation.

The flaw, tracked as CVE-2022-26134, appears to affect all supported versions of Confluence Server and Data Center. The vendor initially made available workarounds and mitigations on June 2, and on Friday it released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 to patch the vulnerability.

The vendor said no Atlassian Cloud sites have been impacted. All potentially vulnerable customers have been notified directly about the fix.

The security hole can be exploited by an unauthenticated attacker for remote code execution. The initial attacks exploiting the zero-day involved the delivery of webshells and other malware, and Volexity said they likely came from China.

Threat intelligence company GreyNoise saw a significant increase in the number of exploitation attempts over the weekend. The firm has seen hundreds of IP addresses trying to exploit the vulnerability.

Cloudflare has also reported seeing a surge in scanning and attack attempts, and the company has found evidence suggesting that potentially malicious payloads have been delivered since at least May 26 via CVE-2022-26134.

Advertisement. Scroll to continue reading.

“Some of the activity we are observing is indicative of malware campaigns and botnet behavior,” Cloudflare said.

Threat intelligence firm CounterCraft has seen attempts to exploit CVE-2022-26134 in an effort to deliver cryptocurrency miners.

Rapid7 has made available a technical analysis of the vulnerability and it has also released a proof-of-concept (PoC) exploit.

Internet asset discovery company Censys and the cybersecurity non-profit Shadowserver reported seeing thousands of internet-exposed Confluence servers that could be vulnerable to attacks, many of them located in the United States.

The US Cybersecurity and Infrastructure Security Agency (CISA) has instructed federal agencies to immediately take action to address the vulnerability.

Cybersecurity companies have been updating their products and services to ensure that attacks exploiting CVE-2022-26134 are blocked, but organizations that have not invested in security could still get hit.

Related: Atlassian Patches Critical Code Execution Vulnerability in Confluence

Related: Atlassian Patches Critical Authentication Bypass Vulnerability in Jira

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.