June 17, 2022

More than 850 unique IP addresses have attempted to exploit a critical zero-day Atlassian’s Confluence vulnerability, barely a week after a security fix was released.

Confluence is a team workspace application that is used by approximately 75,000 customers. Most of Confluence’s work takes place in the cloud, which was not affected by the vulnerability.

The critical Object Graph Navigation Language (OGNL) vulnerability tracked as CVE-2022-26134 was disclosed in the on-premise versions of Confluence Server and Data Center. The flaw could let an attacker remotely execute code in Confluence Data Center and Server.

According to the GreyNoise researchers, the attacks appear to be quite targeted, as attackers appear to check IP addresses to make sure the IP is running Confluence before starting the attack. Some observed exploit activity includes generic reverse shells, payloads with obfuscation.

Researchers explain that the mass exploitation of the vulnerability may be due to several factors, including the ease of exploitation and valuable information stored in the Confluence database, including passwords, proprietary customer information and other confidential data.

The sources for this piece include an article in CIODIVE.