CVE-2023-22527 is actively used in attacks on thousands of Atlassian servers

The Shadowserver Service is documenting attempts to exploit the critical vulnerability CVE-2023-22527, which enables remote code execution on outdated versions of Atlassian Confluence servers.

Atlassian disclosed the issue last week, noting that it affects only versions of Confluence released before December 5, 2023, as well as certain versions that are no longer supported.

The vulnerability, CVE-2023-22527 (rated CVSS: 10.0), is described as a template injection flaw, allowing an unauthorized remote attacker to execute code on vulnerable Confluence Data Center and Confluence Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 – 8.5.3. A fix is available for Confluence Data Center 8.6.0 and Server versions 8.5.4 (LTS) and later.

Since January 19, the Shadowserver threat monitoring service has recorded over 39,000 attempts to exploit CVE-2023-22527, originating from more than 600 unique IP addresses. According to The DFIR Report, attackers are verifying callbacks by executing the “whoami” command to gather information about access levels and privileges on the system.

Currently, over 11,200 Atlassian Confluence servers are accessible via the internet. However, it is not necessarily the case that all are running on a vulnerable version.

Atlassian previously stated it cannot provide specific Indicators of Compromise (IoCs) that would assist in detecting instances of exploitation. Confluence server administrators should ensure that the servers they manage have been updated to at least a version released after December 5, 2023.

Organizations with outdated Confluence servers may consider them potentially compromised, necessitating searches for signs of exploitation, conducting thorough cleanups, and updating to a secure version.