Update now! Atlassian Confluence vulnerability is being actively exploited

Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had “zero days” to patch the flaw.

The vulnerability has since been issued an ID, CVE-2023-22515, and rated with the highest possible severity, a CVSS score of ten. Atlassian’s October 4 advisory warns that “Publicly accessible Confluence Data Center and Server versions … are at critical risk and require immediate attention.”

If you are running Confluence Data Center or Confluence Server inside your organisation and it’s exposed to the public internet you should take steps to prevent exploitation, upgrade your software and look for evidence of compromise (take a look at the Atlassian advisory for detailed information about threat hunting).

Versions of Atlassian Confluence before 8.0.0 are not vulnerable. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. The fixed versions of Confluence are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later.

CVE-2023-22515 is a broken access control vulnerability that allows an attacker with network access to the server to create unauthorized Confluence administrator accounts and access Confluence instances. If your Confluence software is on the public internet than the attacker has network access over the internet.

On October 10, 2023, Atlassian updated its advisory to say that it has “evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515”.

On the same day, Microsoft Threat Intelligence took to X (formerly Twitter), to say that a nation-state actor, codenamed Storm-0062, which it believes to be a nation-state actor working on behalf of China, had been exploiting CVE-2023-22515 since mid-September.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

Although the vulnerability started as a zero-day in the hands of nation state hackers, it will likely take on a second life in the hands of less sophisticated criminals.

We are now in the “patch gap,” the period of time between a patch being available and it being applied. This creates a window of opportunity for mass exploitation, which could last months or even years. The arrival of a patch allows organisations to fix their systems, it also informs a wider group of criminals about the existence of the vulnerability. Criminals and researchers can then reverse engineer the patch to identify the problem, and then create their own code to exploit it, or wait for others to do it for them.

Proof-of-concept exploits for CVE-2023-22515 have already appeared on GitHub so there is not time to lose. How long the patch gap lasts is entirely down to how quickly organisations update their Confluence software. History suggests organisations may struggle to find the speed required. For example, one of 2022’s most routinely exploited vulnerabilities was CVE-2021-26084, a remote code execution flaw in Confluence that was discovered in the middle of the previous year.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability Assessment and Patch Management.