Exploit for Atlassian Confluence RCE Vulnerability Released: Patching Recommendations

A proof-of-concept exploit has been released for CVE-2022-26134, an actively exploited critical vulnerability affecting Atlassian Confluence and Data Center servers.

Confluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.20 | Atlassian Documentation

An unauthenticated remote code execution vulnerability of critical severity is currently being actively exploited in the Confluence Data Center and Server, as confirmed by Atlassian. The OGNL injection vulnerability allows unauthenticated users to execute arbitrary code on Confluence Server or Data Center instances.

The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated remote code execution vulnerability that can be exploited through OGNL injection and affects all Atlassian Confluence and Data Center 2016 servers.

A successful attack allows an unauthenticated remote attacker to create a new administrator account, execute commands, and ultimately take over the server.

This vulnerability was disclosed after Volexity discovered that several attackers were using it in their attacks. No patch was available at the time, and Atlassian commented that administrators should take the server offline or block it from being accessed from the Internet.

Atlasian released a security update to fix the vulnerability, but just then the attack escalated.

Confluence Exploit Exposed

A proof-of-concept exploit for Atlassian’s Confluence vulnerability has been released to the public. The vulnerability was widely spread online, and researchers shared on Twitter how trivial the vulnerability was.

Andrew Morris, CEO of cybersecurity firm GreyNoise, tweeted that he has begun to see 23 unique IP addresses exploiting the Atlassian vulnerability.

GreyNoise reports that the number of unique IP addresses attempting to exploit this vulnerability has increased approximately tenfold to 211 unique IP addresses.

A Confluence vulnerability posted online shows how to create new admin accounts, force DNS requests, gather information, and generate reverse shells.

Patch Confluence servers now

If you have not yet patched your Confluence or Data Center servers for security vulnerabilities, you must do so immediately before an attacker can compromise them.

Versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 were released

If for some reason you are unable to patch your server immediately, Atlassian offers mitigations from Confluence 7.0.0 through version 7.18.0.

Confluence servers are an attractive target for initial access to the corporate network, so devices should be updated immediately, mitigations put in place, or taken offline.

In the worst case scenario, this could lead to a more serious attack, such as ransomware deployment or data theft.