The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.
Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.
Tracked as CVE-2022-36804 (CVSS score of 9.9), the now-exploited vulnerability is described as a command injection bug that impacts multiple API endpoints of Bitbucket Server and Data Center.
“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian explains.
The issue impacts all Bitbucket versions released after 6.10.17, meaning that “any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability,” the company notes in its advisory.
Atlassian released a patch for this security flaw in August 2022, but it appears that not all Bitbucket users updated their deployments, and exploitation of this security bug started at least two weeks ago.
“We at have been observing active scanning and exploitation of the just announced CVE-2022-36804 – this CVE affects Atlassian Bitbucket,” tweeted on September 23 Tiago Henriques, founder of Coalition-owned BinaryEdge.
Data from threat intelligence firm GreyNoise also shows malicious exploitation attempts in late September.
CISA on Friday announced that it has added CVE-2022-36804 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Also on Friday, CISA added to the KEV list two Microsoft Exchange zero-days that were made public last week, and which are tracked as CVE-2022-41040 (server-side request forgery – SSRF) and CVE-2022-41082 (remote code execution).
Successful exploitation of the two flaws – which are named ProxyNotShell, due to similarities with the Exchange Server flaw called ProxyShell – requires authenticated access to a vulnerable server.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until October 21 to address these three vulnerabilities within their networks.
Related: CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation
Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List
Related: CISA: Vulnerability in Delta Electronics ICS Software Exploited in Attacks