The Atlassian Confluence Data Centre and Server vulnerability first disclosed last week is under active exploitation.
Security company Rapid7 said it has seen attackers exploiting improper authorisation vulnerability designated CVE-2023-22518.
Rapid7 said an execution chain that is “consistent across multiple environments” indicates “possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers”.
If an attack is successful, Rapid7’s post said, the Cerber ransomware is installed on the exploited Confluence server.
Atlassian’s updated advisory said it had received at least one customer exploitation report, and that it had upgraded the CVSS score for this vulnerability from 9.1 to 10.
Dr Johannes Ullrich of the SANS Institute wrote that the institute has seen traffic trying to attack the Confluence URLs identified in Atlassian’s advisory, along with this URL: “/rest/api/user?username=”.
He wrote that the institute has spotted an IP address, 206.189.179.132, which is a known attacker: “no stranger to our logs”.
Other attacker IPs in the SANS Institute’s logs include 103.207.14.235 and 103.207.14.196 from India, 104.238.130.6 from the US, and 99.245.96.12 from Canada.
Rapid7 identified three other IPs: 193.176.179.41, 193.43.72.11, and 45.145.6.112.
