Hackers are exploiting a critical Atlassian Confluence vulnerability - here’s what you need to know

Atlassian logo displayed on a phone screen and a laptop keyboard are seen in this illustration
(Image credit: Getty Images)

A critical vulnerability in out-of-date Atlassian Confluence servers has been exploited over 39,000 times less than a week, prompting alerts from CISA and industry analysts for businesses to patch immediately. 

Tracked as CVE-2023-22527, the template injection vulnerability enables attackers to leverage a remote code execution (RCE) attack on the target device and was given a base score of 10 on the CVSS. 

The severity of the score reflects the fact that this vulnerability enables attackers to use RCE without the need for authentication on the network, in a relatively low complexity attack that could have catastrophic consequences for businesses.

The vulnerability affects legacy versions of Confluence Data Center and Server from versions 8 through to 8.5.3, meaning any organization running a vulnerable instance of Atlassian’s software should update immediately to minimize the chance of exploitation.

Security researcher Petrus Viet reported CVE-2023-22527 via Atlassian’s bug bounty program.

As of the time of writing, there are currently over 11,000 IoT devices exposed to the public internet running some version of the Confluence software, according to nonprofit security organization Shadowserver, but it isn’t clear how many are actually vulnerable.

Shadowserver recorded over 39,000 attempts to leverage the vulnerability in attacks distributed across more than 18,000 ports and over 600 unique IP addresses since disclosure.

The majority of these attempts were observed to have originated from Russian IP addresses in particular.

These attempts mostly consist of “testing callback attempts and ‘whoami’ execution”, according to Shadowserver’s analysis, as attackers try to hone in on vulnerable servers.

Atlassian Confluence: Firm advises customers to patch immediately 

In a security advisory disclosing the vulnerability, Atlassian noted customers who regularly update their software should not be affected by CVE-2023-22527 as the vulnerability was mitigated during regular updates.


2023 Cybersecurity Insiders VPN Risk Report whitepaper

(Image credit: Zscaler)

Explore the world of VPN management and get insight into its vulnerabilities


However, customers using outdated versions of Confluence Data Center and Server should make sure they patch immediately, as there are no mitigations or workarounds currently available.

“If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available."

Atlassian has dealt with a number of security incidents over recent years, with its Confluence solution being affected by a critical code execution vulnerability with a 9.8 base score on the CVSS scale in June 2022.

A further four new critical vulnerabilities affecting its Bitbucket, Confluence, and Jira solutions, all rated 9.0 on or higher on the CVSS scale, were disclosed by the company in a December security advisory. 

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.