Critical Atlassian Confluence vulnerability exploited by state-backed threat actor

A critical flaw in Atlassian Confluence Data Center and Server (CVE-2023-22515) has been exploited by a state-backed threat actor, Microsoft’s threat analysts have pinpointed.

About the vulnerability

CVE-2023-22515 was initially classified as a critical privilege escalation vulnerability affecting Confluence Data Center and Server versions 8.0.0 and later, but then re-classified as an issue stemming from broken access control.

Atlassian said on October 5 that multiple customers have reported attacks in which external attackers have used the flaw to create unauthorized Confluence administrator accounts and access Confluence instances. The following day, the company said that they have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515.

The company advised admins to update their self-hosted Confluence installations to a fixed version (8.3.3 or later, 8.4.3 or later, 8.5.2 or later) or to restrict external access to them, and to check for indicators of compromise.

CVE-2023-22515 exploited in the wild

Microsoft’s security experts said today that they have observed a nation-state threat actor they dubbed Storm-0062 exploiting CVE-2023-22515 since September 14. “Storm-0062 is tracked by others as DarkShadow or Oro0lxy,” they noted, and shared four IP addresses sending related CVE-2023-22515 exploit traffic.

Rapid7 researchers have released on Tuesday a thorough technical analysis of CVE-2023-22515, and associated indicators of compromise.

“Atlassian indicated that this vulnerability was exploited in the wild as a zero-day vulnerability, prior to their knowledge or a patch being available. The observed attacker behavior included leveraging CVE-2023-22515 to create a new administrator user, but we believe that this is not the only way the vulnerability could be used,” Rapid7 security researcher Stephen Fewer noted.

“Our analysis concludes that this vulnerability is remotely exploitable by an unauthenticated attacker, and can be leveraged to create a new administrator account on the target Confluence server. This can lead to a total loss of integrity and confidentiality of the data held in the server. Since the root cause of the vulnerability allows an attacker to modify critical configuration settings, an attacker may not be limited to creating a new administrator — there may be further avenues of exploitation available.”

GreyNoise, which tracks internet-wide system scanning efforts, has created a tag to record CVE-2023-22515 exploitation attempts.

UPDATE (October 16, 2023, 4:10 p.m. ET):

The CISA, FBI, and MS-ISAC have published an advisory in response to the active exploitation of CVE-2023-22515, which contains IoCs and advice.