Attempts to exploit a critical Atlassian Confluence vulnerability tracked as CVE-2023-22527 started just days after the existence of the flaw came to light.
An advisory published by Atlassian on January 16 informed customers that out-of-date versions of Confluence Data Center and Server are affected by a critical security hole that allows an unauthenticated attacker to achieve remote code execution.
The company noted that Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5, which no longer receives backported patches, are impacted.
On Monday, January 22, the non-profit cybersecurity organization The Shadowserver Foundation reported seeing attempts to exploit CVE-2023-22527.
Shadowserver has seen close to 40,000 exploitation attempts coming from roughly 600 unique IP addresses. The activity is mostly “testing callback attempts and ‘whoami’ execution”, which suggests that malicious actors are looking for vulnerable servers that they can compromise and abuse to gain access to victims’ networks.
The organization pointed out that there are currently 11,000 Confluence instances exposed to the internet, but it’s unclear how many of them are actually vulnerable to attacks exploiting CVE-2023-22527.
The DFIR Report has also seen exploitation attempts for CVE-2023-22527. The company warned about the attacks on January 21.
Petrus Viet, the researcher who reported the flaw to Atlassian, has confirmed that it cannot be exploited against the latest versions of Confluence.
Technical details for the vulnerability were made public on Monday by ProjectDiscovery.
It’s not uncommon for threat actors to target Confluence vulnerabilities. The known exploited vulnerabilities catalog maintained by the US security agency CISA currently includes eight Confluence flaws — CVE-2023-22527 has yet to be added.
Related: Atlassian Patches Critical Remote Code Execution Vulnerabilities
Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw
Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day