Exploit for 0-day Vulnerability in Atlassian Confluence

PoC exploits have appeared for the critical vulnerability CVE-2022-26134 affecting Atlassian Confluence and Data Center servers.

This bug allows unauthenticated attackers to create new administrator accounts, execute commands, and take over someone else’s server.

Let me remind you that the vulnerability was discovered last week by Volexity experts. CVE-2022-26134 is an RCE vulnerability that does not require authentication and uses OGNL injections.

During the attack studied by experts, the attackers installed BEHINDER, a JSP web shell that allows remote commands to be executed on a compromised server, on the victim’s system. The hackers then used BEHINDER to install the China Chopper web shell and a simple file upload tool. BEHINDER provides attackers with powerful capabilities, including in-memory web shells, as well as built-in support for Meterpreter and Cobalt Strike.Volexity experts explained.

Let me also remind you that we wrote that Atlassian developers found critical vulnerabilities in Jira Service Desk.

Atlassian developers reported that the vulnerability is confirmed in Confluence Server 7.18.0, while Confluence Server and Data Center 7.4.0 and higher are also vulnerable.

Andrew Morris
Andrew Morris

Patches have already been released for the bug. If patching is not possible due to the severity of the problem, we recommend users to either restrict access to Confluence Server and Data Center from the Internet, or temporarily disable them altogether.

Earlier last week, attacks on a fresh bug were reported. Analysts wrote that behind these attacks there are numerous malefactors from China. Now the number of attacks has increased, and at the end of last week, a PoC exploit was published, which was widely distributed on the network over the weekend.

Exploits circulating on the web make it easy to create new administrator accounts, force DNS queries, collect system information, and create reverse shells.

Vulnerability in Atlassian Confluence

Andrew Morris, head of the security company GreyNoise, wrote on Twitter that at first 23 unique IP addresses were engaged in the operation of CVE-2022-26134, and now their number has grown almost tenfold, reaching 211 unique IP addresses.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button