CVE-2023-22527 Detection: Maximum Severity RCE Vulnerability in Atlassian’s Confluence Server and Data Center Exploited in the Wild

Adversaries carry out high-profile in-the-wild attacks by weaponizing RCE vulnerabilities impacting Atlassian Confluence servers. A newly uncovered RCE vulnerability in the Confluence Data Center and Confluence Server has been observed under active exploitation just a few days after its discovery. The critical flaw tracked as CVE-2023-22527 with the highest possible CVSS score of 10.0 affects outdated Atlassian Confluence servers.

Detect CVE-2023-22527 Exploitation Attempts

With around 30,000 new vulnerabilities reported in 2023 and a constantly growing trend forecasted for the upcoming years, cybersecurity professionals require an innovative solution to detect exploits on time and proactively defend organizational infrastructure. 

In view of the critical severity of the flaw and major adoption of Atlassian solutions by enterprises globally, it’s vital to have a reliable source of detection content to identify related cyber attacks at the earliest stages of development. 

Possible CVE-2023-22527 (Confluence Data Center And Server Remote Code Execution) Exploitation Attempt (via webserver)

The rule above, provided by the SOC Prime Team, helps to identify possible CVE-2023-22527 remote code execution in order to gain initial access to vulnerable applications. For smooth performance, the rule requires logging of POST request body data for every request. The detection is compatible with 13 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK v14, addressing Initial Access tactics and Exploit Public-Facing Applications (T1190) as a main technique.

To always stay on top of attacks relying on emerging CVEs, drill down to the entire collection of relevant rules and hunting queries available in SOC Prime’s Threat Detection Marketplace. Click the Explore Detections button and access the extensive detection stack with the complete threat context at your fingertips.

Explore Detections

CVE-2023-22527 Analysis

On January 16, 2023, Atlassian Confluence issued a security bulletin notifying the company’s clients of a new critical RCE vulnerability disclosure. A template injection vulnerability tracked as CVE-2023-22527 enables unauthenticated attackers to enable RCE on affected software instances. The vulnerability rated 10.0 on the CVSS scale, indicating its highly critical severity, poses a threat to outdated software versions released prior to Dec. 5, 2023, along with version 8.4.5, which is no longer receiving backported fixes.

According to the Shadowserver’s threat monitoring service, there have already been 40K+ exploitation attempts weaponizing CVE-2023-22527, with in-the-wild attacks originating from slightly over 600 distinct IP addresses. Notably, over 20K+ of the identified IP addresses are russia-linked. 

As for CVE-2023-22527 mitigation measures, Atlassian hasn’t provided any workaround. To remediate the threat, clients are strongly recommended to upgrade each affected product to the latest version available. Even though the latest supported versions of Confluence endpoints remain unaffected by this flaw, Atlassian advises their clients to patch to the most recent software version, so they can make sure servers are fully protected against any potential non-critical security bugs.

Defenders can try searching SOC Prime for dozens of vendor-agnostic rules and queries to detect threats affecting Atlassian Confluence endpoints, including known zero-days and CVEs. Explore relevant cyber threat context, including ATT&CK references and mitigations, binaries linked to detections, and other actionable metadata to assist in your threat investigation routine.