Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure

The Atlassian Confluence vulnerability CVE-2023-22527 is being exploited in the wild just days after it was disclosed. 

Confluence exploitation

Attempts to exploit a critical Atlassian Confluence vulnerability tracked as CVE-2023-22527 started just days after the existence of the flaw came to light.

An advisory published by Atlassian on January 16 informed customers that out-of-date versions of Confluence Data Center and Server are affected by a critical security hole that allows an unauthenticated attacker to achieve remote code execution. 

The company noted that Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5, which no longer receives backported patches, are impacted. 

On Monday, January 22, the non-profit cybersecurity organization The Shadowserver Foundation reported seeing attempts to exploit CVE-2023-22527.

Shadowserver has seen close to 40,000 exploitation attempts coming from roughly 600 unique IP addresses. The activity is mostly “testing callback attempts and ‘whoami’ execution”, which suggests that malicious actors are looking for vulnerable servers that they can compromise and abuse to gain access to victims’ networks. 

The organization pointed out that there are currently 11,000 Confluence instances exposed to the internet, but it’s unclear how many of them are actually vulnerable to attacks exploiting CVE-2023-22527.

The DFIR Report has also seen exploitation attempts for CVE-2023-22527. The company warned about the attacks on January 21. 

Petrus Viet, the researcher who reported the flaw to Atlassian, has confirmed that it cannot be exploited against the latest versions of Confluence. 

Advertisement. Scroll to continue reading.

Technical details for the vulnerability were made public on Monday by ProjectDiscovery.

It’s not uncommon for threat actors to target Confluence vulnerabilities. The known exploited vulnerabilities catalog maintained by the US security agency CISA currently includes eight Confluence flaws — CVE-2023-22527 has yet to be added.

Related: Atlassian Patches Critical Remote Code Execution Vulnerabilities

Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw

Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights