US cybersecurity agency CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warn organizations of potential widespread exploitation of a recent zero-day vulnerability in Atlassian Confluence Data Center and Server.
Tracked as CVE-2023-22515 (CVSS score of 9.8), the bug has been exploited by a nation-state threat actor since September 14, roughly two weeks before Atlassian released patches for it.
Remotely exploitable without authentication, the flaw is described as a broken access control issue leading to privilege escalation. The issue impacts on-premises Confluence instances only.
“This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts,” CISA, FBI, and MS-ISAC note in an advisory (PDF).
Because it allows threat actors to modify critical configuration settings, the flaw may be used for more malicious actions than the creation of administrative accounts, the advisory reads.
“Threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint,” the three agencies say.
CISA added CVE-2023-22515 to its Known Exploited Vulnerabilities catalog on October 5 and warns that, following the publication of proof-of-concept (PoC) exploit code, multiple threat actors have started targeting the flaw in attacks.
“Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks,” the advisory continues.
The vulnerability impacts Confluence Data Center and Server versions 8.0.0 to 8.5.1 and has been addressed with the release of versions 8.3.3, 8.4.3, and 8.5.2 of the product.
Organizations with internet-accessible Confluence Data Center and Server instances are advised to update to a patched release as soon as possible. They should also consider restricting network access until the updates are applied.
In their advisory, CISA, FBI, and MS-ISAC have included details on the exploitation of CVE-2023-22515, as well as indicators-of-compromise (IoCs) to help organizations hunt for malicious activity associated with the bug’s exploitation.
“CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs),” the US gov agencies note.
Related: Atlassian Security Updates Patch High-Severity Vulnerabilities
Related: Organizations Warned of Critical Confluence Flaw as Exploitation Continues
Related: Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo
