Ransomware groups are abusing an already patched RCE vulnerability in Atlassian Confluence Server and Data Center instances. The vulnerability, already being exploited by some new botnets, is being actively exploited for initial access to target networks. A week ago, the flaw CVE-2022-26134 was abused for installing web shells to achieve remote code execution.

AvosLocker abusing the flaw

Researchers from Prodaft have discovered that the AvosLocker ransomware affiliates are exploiting the flaw (CVE-2022-26134) on a large scale, targeting unpatched servers.
  • AvosLocker looks for exposed systems used to run Atlassian Confluence systems by mass scans on networks.
  • The operators have already targeted multiple organizations around the world, including the U.S., Australia, and Europe.

Cerber ransomware abusing the flaw

Multiple victims have reported Cerber2021 ransomware infection as well, which is actively targeting and encrypting Confluence instances unpatched for the CVE-2022-26134.
  • The increased number of successful Cerber ransomware attacks coincides with the release of CVE-2022-26134 PoC exploits.
  • Further, Microsoft has also confirmed that Confluence servers were exploited to install Cerber2021.


Ransomware groups such as Cerber and AvosLocker have joined the wagon into exploiting the flaw in Confluence instances. This highlights the fact that cyber attackers are very active in exploiting zero-day vulnerabilities in such popular commercial products. Thus, experts suggest upgrading Confluence to stay protected from the ongoing active exploitation.
Cyware Publisher