Malicious actors are attempting to exploit a recently disclosed critical vulnerability affecting outdated versions of Atlassian Confluence servers, security researchers warn.
Tracked as CVE-2023-22527, the flaw is a template injection issue that can lead to remote code exploitation. According to Atlassian, the vulnerability impacts only outdated Confluence Data Center and Confluence Server versions 8.0.0 through 8.5.3. The issue was fixed in Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later.
Threat monitoring service Shadowserver reported that it observed over 36,000 exploitation attempts coming from over 600 IP addresses.
“We are seeing Atlassian Confluence CVE-2023-22527 pre-auth template injection RCE attempts since 2024-01-19. Over 600 IPs seen attacking so far (testing callback attempts and 'whoami' execution),” the organization wrote in a series of posts on X, noting that there are more than 11,000 Atlassian Confluence instances that are exposed on the internet.
Internet scanning outfit GreyNoise also said it saw multiple RCE exploit attempts.
“We are detecting activity for CVE-2023-22527, which relates to a critical Atlassian Confluence Template Injection RCE vulnerability. So far, commands are focused on id whoami and cat /etc/shadow - Patch before it's too late!,” GreyNoise urged.