Security researchers are observing exploitation attempts for the CVE-2023-22527 remote code execution flaw vulnerability that affects outdated versions of Atlassian Confluence servers.
Atlassian disclosed the security issue last week and noted that it impacts only Confluence versions released before December 5, 2023, along with some out-of-support releases.
The flaw has a critical severity score and is described as a template injection weakness that allows unauthenticated remote attackers to execute code on vulnerable Confluence Data Center and Confluence Server endpoints, versions versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.
A fix is available for Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later versions.
Threat monitoring service Shadowserver reports today that its systems recorded thousands of attempts to exploit CVE-2023-22527, the attacks originating from a little over 600 unique IP addresses.
The service says that attackers are trying out callbacks by executing the ‘whoami‘ command to gather information about the level of access and privileges on the system.
The total number of exploitation attempts logged by The Shadowserver Foundation is above 39,000, most of the attacks coming from Russian IP addresses.
Shadowserver reports that its scanners currently detect 11,100 Atlassian Confluence instances accessible over the public internet. However, not all of those necessarily run a vulnerable version.
Atlassian Confluence vulnerabilities are assets frequently exploited by various types of attackers, including sophisticated state-sponsored threat actors and opportunistic ransomware groups.
Regarding CVE-2023-22527, Atlassian has previously said it was unable to provide specific indicators of compromise (IoCs) that would aid in detecting cases of exploitation.
Confluence server administrators should make sure that the endpoints they manage have been updated at least to a version released after December 5, 2023.
For organizations with outdated Confluence instances, the advice is to treat them as potentially compromised, look for signs of exploitation, perform a thorough cleanup, and update to a safe version.