CISA, FBI, and MS-ISAC issued a critical security warning, urging network administrators to patch their Atlassian Confluence servers immediately. A severe privilege escalation vulnerability, CVE-2023-22515, poses a significant risk and is actively exploited in attacks. This flaw affects Confluence Data Center and Server versions 8.0.0 and later, making it remotely exploitable without user interaction.

Atlassian had already advised users to upgrade to fixed versions after the vulnerability was discovered being actively exploited as a zero-day on October 4. Administrators are advised to isolate affected instances from the internet if upgrading is not possible or shut them down. It’s also crucial for administrators to check for signs of compromise, such as suspicious admin user accounts.

According to Atlassian, fixed versions for Atlassian Confluence Data Center and Confluence Server are;

8.3.3 or later
8.4.3 or later
8.5.2 (Long-Term Support release) or later.

Microsoft disclosed that a Chinese-backed threat group known as Storm-0062, a.k.a DarkShadow, had been exploiting this flaw as a zero-day since at least September 14, 2023.

The joint warning from CISA, FBI, and MS-ISAC emphasizes the urgency of applying Atlassian’s provided upgrades. It suggests organizations hunt for signs of malicious activity using detection signatures and indicators of compromise. The threat landscape is expected to intensify due to the ease of exploitation and the availability of proof-of-concept exploits.

The history of Confluence servers as attractive targets for cyberattacks, including ransomware and malware campaigns, underscores the importance of immediate patching. This advisory serves as a reminder of the ongoing need for vigilance and prompt action in the face of evolving cybersecurity threats.

You can reach the PDF file for advisory here.