Atlassian warns that Confluence zero-day is being exploited by hackers

Update (2:01 pm EST): Atlassian has released a patch for the bug and said it has notified all potentially vulnerable customers of the fix.

Atlassian has warned its customers that hackers are exploiting a zero-day vulnerability in all supported versions of Confluence Server and Data Center.

A spokesperson for the Australia-based software firm told The Record that the bug – tagged as CVE-2022-26134 – does not yet have a patch. 

“We have contacted all potentially vulnerable customers directly to alert them of this vulnerability. Atlassian Engineering teams are actively working on a patch, and we will update our security advisory with an estimate for completion as soon as possible,” the spokesperson said. 

Atlassian was tight-lipped about the specifics of the critical unauthenticated remote code execution vulnerability in an effort to protect users while a patch is created. In its advisory on the issue, the company said a security fix will be “available for customer download within 24 hours (estimated time, by EOD June 3 PDT).”

The company suggested users restrict access to Confluence Server and Data Center instances from the internet or disable instances. For those unable to take these measures, Atlassian suggested implementing a Web Application Firewall rule which blocks URLs containing ${. 

Atlassian said the issue was discovered by security firm Volexity, which released its own blog about the vulnerability. 

Volexity security researchers Andrew Case, Sean Koessel, Steven Adair and Thomas Lancaster said they conducted an incident response investigation over Memorial Day weekend that involved suspicious activity on two internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software.

“After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server,” the company explained. 

They contacted Atlassian on May 31, and noted that it resembles “previous vulnerabilities that have also been exploited in order to gain remote code execution.”

Volexity said these brands of vulnerabilities are particularly dangerous because they allow attackers to execute commands and “gain full control of a vulnerable system without credentials as long as web requests can be made to the Confluence Server system.”

The attacker discovered by Volexity exploited the vulnerability and deployed a copy of BEHINDER, a popular web server implant that they said “provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.”

The Cybersecurity and Infrastructure Security Agency (CISA) released its own warning about the bug and immediately added it to its catalog of known exploited vulnerabilities

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.