Confluence Server and Data Center – CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability
“The flaw was discovered by researchers at Volexity, who uncovered it as part of an incident response investigation over the Memorial Day weekend in the United States. Existing exploitation involved the use of web shells, including the China Chopper web shell. The presence of a web shell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched. We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted web shells onto vulnerable Microsoft Exchange Server instances.
“A number of Confluence Server versions are potentially vulnerable to this new flaw. So if an organisation is using one of the affected Confluence Server and Data Centre versions and it is publicly accessible over the internet, they are at significant risk. At this time, organisations are advised to restrict access to their Confluence Server and Data Centre instances by placing them behind a Virtual Private Network (VPN) or if feasible, disabling these instances altogether until a patch is available.
“While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence. We strongly encourage organisations to review these mitigation options until patches are available.” — Satnam Narang, Senior Staff Research Engineer, Tenable