USCYBERCOM and the Cybersecurity and Infrastructure Security Agency (CISA) are sounding the alarm just before the Labor Day weekend in the U.S., urging organizations to patch a critical vulnerability (CVE-2021-26084) affecting Atlassian Confluence Server and Data Center.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” USCYBERCOM tweeted Friday morning. “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”
On August 25, Atlassian issued patches to address the critical code execution vulnerability that carried a CVSS score of 9.8. Described by the software maker as an OGNL injection issue that can be exploited by an authenticated attacker — and in some cases an unauthenticated attacker — to execute arbitrary code on affected systems, the flaw has been fixed with the release of versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0.
Shortly after announcing the patch, hackers began exploiting the vulnerability, with researchers saying it was easier than expected to reproduce the exploit.
After the first in-the-wild exploitation attempts were spotted, researchers released a technical analysis of the vulnerability and proof-of-concept (PoC) exploit code, which will likely lead to even more threat groups adding the Confluence vulnerability to their arsenal.
CISA is urging users to review Atlassian Security Advisory 2021-08-25 and immediately apply the necessary patches.
However, security industry veteran Dave Aitel believes patching now may not be enough. “To be honest I think this is bad advice. People should be taking these systems completely offline and rebuilding them from scratch,” Aitel said in a tweet.
The pre-holiday Atlassian warnings followed an earlier alert this week from CISA and the FBI, warning that ransomware actors deliberately launch attacks during the holidays and weekends. In a joint alert, the two agencies reminded that previous U.S. holidays such as the Fourth of July weekend in 2021 were marked by an increase in cyber-incidents involving ransomware.