This weekend, proof-of-concept exploits for the critically exploited CVE-2022-26134 vulnerability affecting Atlassian Confluence and Data Center servers were widely distributed.
CVE-2022-26134 is a severe unauthenticated, remote code execution vulnerability that affects all Atlassian Confluence and Data Center 2016 servers after version 1.3.0 and is tagged as CVE-2022-26134.
Unauthenticated, remote attackers can use successful exploitation to create new admin accounts, run commands, and eventually seize control of the server.
After Volexity determined it was being used by various threat actors in attacks, the vulnerability was made public last week. Because a patch was not available at the time, Atlassian urged administrators to take servers offline or disable Internet access.
Atlassian provided security upgrades to fix the vulnerability on Friday, just as attacks in the wild ramped up.
Confluence takes advantage of information that has been made public.
A proof-of-concept exploit for the Atlassian Confluence vulnerability was made public on Friday afternoon. Over the weekend, the attack quickly swept over the internet, with researchers providing samples of how easy it was to exploit on Twitter.
Andrew Morris, the CEO of cybersecurity firm GreyNoise, tweeted yesterday afternoon that they had started seeing 23 unique IP addresses exploiting Atlassian vulnerabilities.
According to GreyNoise, the number of unique IP addresses attempting to exploit this vulnerability has increased by nearly tenfold, to 211.
Online Confluence attacks show how to create new admin accounts, force DNS requests, collect data, and generate reverse shells.
Now is the time to patch your Confluence servers.
If you haven’t already fixed the security vulnerability in your Confluence or Data Center servers, you should do it right away to avoid being hacked.
The Atlassian advise states, “Released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 which contain a patch for this issue.”
If you are unable to fix your servers immediately for some reason, Atlassian has supplied mitigations for Confluence 7.0.0 through 7.18.0.
Because Confluence servers are a popular target for gaining first access to a corporate network, devices should be upgraded, mitigated, or taken offline as soon as possible.
Failure to do so will result in more serious attacks, such as ransomware deployment and data theft.
