Proof-of-concept exploits for the critical CVE-2022-26134 vulnerability in Atlassian Confluence and Data Center servers are available online. The bug tagged as CVE-2022-26134 is a severe unauthenticated, remote code execution vulnerability that affects all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.

So what if the bug gets into the systems?

Unauthenticated, remote attackers can use successful exploitation to create new admin accounts, run commands, and eventually seize control of the server.

Which systems were compromised?

A proof-of-concept exploit for this flaw was publicly released. The Atlassian vulnerabilities were exploited by 23 different IP addresses, according to researchers.
  • According to a Tweet by Shadowserver, there were roughly 4000 confluence instances available worldwide, the majority in the United States, in exploitation and testing for Atlassian Confluence CVE-2022-26134.
  • Atlassian released a security advisory over the weekend on June 2 about a zero-day vulnerability in all versions of Confluence Server and Data Center that is already being exploited in the wild.

What is CVE-2022-26134?

CVE-2022-26134 is a critical severity vulnerability that can be exploited by a threat actor to execute unauthenticated RCE.
  • In terms of mitigation and prevention, Atlassian's first advice included broad solutions like barring access to the Confluence server and Data Center, but on Friday, June 3, the company published a patch to address the problem.
  • This vulnerability does not affect organisations that use Atlassian Cloud, which can be accessed through atlassian.net.
 

The Impact

The potential harm that a threat actor might inflict to the victim's infrastructure, as with any other RCE vulnerability, can be devastating, and if done correctly, can lead to a total domain takeover.
  • If this vulnerability is successfully exploited, a threat actor can use it to install whatever backdoor, ransomware, information stealer, or remote access tool (RAT) they choose, as well as conduct a high-alert campaign against companies that employ these products.
  • The threat actor can use a specially crafted HTTP request to include the code they want to run on the vulnerable server located in the URI to exploit this issue.
 

Any solution/recommendation in store?

The defensive approaches could include:
  • Restricting internet access to Confluence Server and Data Center instances.
  • Confluence Server and Data Center instances are disabled.
  • Applying YARA rules can help prevent this kind of assault.
  • Address the front-facing security vendors (IPS/IDS)
  • Patching your confluence servers immediately
Not doing so will ultimately lead to more significant attacks, including ransomware deployment and data theft.
Cyware Publisher

Publisher

Cyware