Atlassian Confluence customers with on-premise deployments have a second actively exploited critical vulnerability to worry about in the span of a month.
An improper authorization vulnerability affecting all versions of Confluence Data Center and Server, CVE-2023-22518, is under active exploit across multiple customer environments to initiate ransomware attacks, according to Caitlin Condon, head of vulnerability research at Rapid7.
Atlassian acknowledged receipt of an active exploit reported by one of its customers on Friday and updated the rating for the CVE on Monday.
“We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack,” Atlassian said in its advisory for the vulnerability. “Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.”
Rapid7 observed exploitation in more than six customer environments over a 13-hour period beginning Sunday.
“There's no discernable pattern among victim verticals or geolocations — a number of the impacted organizations are in the United States, but others are global,” Condon said via email.
Rapid7 hasn’t attributed the attacks to a specific threat actor, but it observed the deployment of Cerber ransomware in several incidents with slight technique differences, Condon said.
Yet, the process execution chain of attack is similar across multiple environments, which could indicate possible mass exploitation of vulnerable internet-facing Confluence servers, Rapid7 researchers said in an advisory.
Concerns about active exploits have been mounting since the Cybersecurity and Infrastructure Security Agency warned “a cyber actor could exploit this vulnerability to obtain sensitive information,” in a Thursday advisory.
The latest exploits follow a separate exploited zero-day vulnerability in Confluence Data Center and Server, CVE-2023-22515, which Atlassian alerted customers to Oct. 4. Both CVEs have a base CVSS rating of 10 out of 10.
A nation-state threat actor began actively exploiting CVE-2023-22515 Sept. 14, Microsoft Threat Intelligence said in a Oct. 10 post on X, the social media site formerly known as Twitter.
Following those attacks, CISA, the FBI and the Multi-State Information Sharing and Analysis Center said they “expect widespread, continued exploitation due to ease of exploitation” in a joint advisory about the critical broken access control vulnerability on Oct. 16.
Threat actors continue to target both vulnerabilities. In one incident observed by Rapid7, a threat actor unsuccessfully attempted to exploit CVE-2023-22515 before using an exploit for CVE-2023-22518, Condon said.
Atlassian made patches for both vulnerabilities available via software updates. A spokesperson for the Australia-based company said it promptly responded to the critical vulnerabilities, urged customers to take immediate action and provided updates as it learned of active exploits, including ransomware attacks.
“Confluence is a massively popular platform worldwide. Its popularity and potential as an initial access vector makes it a high-value attack target,” Condon said. “It's unfortunate that the platform has had two broadly exploited vulnerabilities recently, but two critical vulnerabilities in a month is hardly unusual for complex software.”