Atlassian has raised the CVSS score of CVE-2023-22518 to the maximum of 10 amid reports that threat actors have exploited the vulnerability to reset and create administrator accounts.
Originally, Atlassian only advised that the improper authorization vulnerability in Confluence Data Servers could lead to significant data loss but wouldn’t impact the confidentiality of data residing on the servers.
At least one cybersecurity company is reporting that it has observed signs of mass exploitation of the vulnerability to deploy Cerber ransomware on compromised systems.
As a result of this latest activity, Atlassian is strongly advising its users to update affected devices to patched versions as soon as possible.
Source: MSN.com
Analysis
It’s now apparent that CVE-2023-22518 is a much more serious threat than initially believed. With administrator privileges, threat actors can deploy malware and ransomware, disable security measures, establish persistence mechanisms, and much more.
Given that one threat actor is already attempting mass ransomware deployments, additional threat actors, both with criminal and espionage intentions, are likely to follow suit.
This issue is another blow for Atlassian, which only last month dealt with another vulnerability (CVE-2023-22515), also in Confluence Data Centre, that was exploited by Chinese state-sponsored actor Storm-0062.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Confluence. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of the affected Confluence servers to update to the latest version as soon as possible.
Related articles
