The first in-the-wild exploitation attempts targeting a recent vulnerability in Atlassian Confluence Data Center and Confluence Server were observed over the weekend, threat intelligence firm GreyNoise warns.
Patched a week ago, the critical security defect tracked as CVE-2023-22518 (CVSS score of 9.1) is an improper authorization flaw that could lead to “significant data loss”, Atlassian warned. The issue impacts all Confluence versions.
Less than five days after releasing the patch, Atlassian issued a second warning, informing customers that “critical information about the vulnerability” had been made public, and that the risk of exploitation had increased significantly.
The enterprise software maker issued the fresh alert on the same day that ProjectDiscovery published technical information on the flaw, along with details on potential exploitation methods.
On Friday, Atlassian updated its initial advisory again, to warn that the vulnerability is under active exploitation.
“We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required,” the company’s updated advisory reads.
Over the weekend, GreyNoise’s scanners caught in-the-wild exploitation of CVE-2023-22518 targeting organizations in the US, Taiwan, Ukraine, Georgia, Latvia, and Moldova.
Attacks were originating from three different IP addresses, GreyNoise CEO and founder Andrew Morris pointed out on Sunday.
While the issue cannot be exploited to exfiltrate data from vulnerable Confluence servers, it could be used to replace the state of an instance to attacker-supplied data, without authentication.
Rapid7 too has observed multiple attempts to exploit web-accessible Confluence servers and says that at least some of the attacks targeted CVE-2023-22518, while others targeted CVE-2023-22515, a critical Confluence zero-day that came to light on October 4.
“The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers,” Rapid7 notes in a November 6 post.
Multiple attack chains, the cybersecurity firm notes, involved the post-exploitation execution of commands to download a malicious payload, leading to a Cerberus ransomware infection.
Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1 were released last week to address CVE-2023-22518. All users are advised to update their instances as soon as possible or at least create backups and block internet access to vulnerable instances until patches are applied.
*Updated with information from Rapid7