Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
CVE-2023-22515 was discovered and reported to Atlassian by a security researcher, who successfully exploited it to gain unauthorized admin access on October 4th, 2023.
Atlassian also acknowledged that they were made aware that nation-state actors had been exploiting the vulnerability in internet-facing Confluence servers since at least September 14th to create backdoor admin accounts.
The ease of exploitability and lack of need for authentication made this an extremely dangerous 0-day that was likely being exploited for weeks before discovery and disclosure. The initial impact was creating backdoor admin accounts for persistent access.
After disclosure, many researchers and vendors analyzed the vulnerability and found it trivial to exploit. By making requests to “/setup” endpoints, attackers could re-enable Confluence's setup process and then use the “/setupadministrator” endpoint to create a new admin account.
Long-term impacts go beyond just account creation. With admin access, attackers have full control of the Confluence instance, including installing plugins, accessing sensitive documents/data, or using it as an internal pivot point to compromise other systems.
Post-exploitation activities depend on the attacker's objectives, but the impacts can be extremely severe given the level of access obtained.
GreyNoise has observed consistent exploitation of this vulnerability.
Even though patches have been available for over a month, Atlassian has stated that only around 50% of vulnerable internet-facing Confluence instances have been updated. This leaves a large attack surface exposed.
Additionally, any instances that were compromised before patching are still at risk. Attackers could have left backdoors or additional access methods in place. Simply patching does not remove attackers who are already present within the impacted Confluence server.
Defenders should urgently upgrade any vulnerable Confluence Server/Data Center instances to patched versions. For any compromised hosts, assume the integrity is fully compromised. Rebuild the host when possible and thoroughly inspect all administrator accounts, plugins, permissions, etc., for signs of unauthorized changes.
