Multiple cybersecurity organizations have observed exploitation attempts against a critical Atlassian Confluence vulnerability that was disclosed and patched last week.
In a security advisory published on Jan. 16, Atlassian detailed a remote code execution vulnerability tracked as CVE-2023-22527 that received the highest possible CVSS score of 10 out of 10.
The flaw affects Atlassian Confluence Data Center and Confluence Server versions between 8.0.x and 8.5.3.
This week, several cybersecurity organizations reported scans and exploitation attempts for the critical template injection vulnerability.
The Shadowserver Foundation observed the earliest exploitation attempts beginning on Jan. 19, just three days after disclosure.
As of Monday, scans conducted by the cybersecurity nonprofit organization revealed that more than 11,000 vulnerable instances remained.
A majority of the scanning activity came from Europe, North America and Asia.
Threat intelligence vendor GreyNoise detected malicious activity beginning on Monday that increased the following day.
As of Tuesday, GreyNoise observed 37 malicious IP addresses attempting to exploit CVE-2023-22527.
Geographic locations of those addresses were similar to Shadowserver's findings, with 11 IP addresses originating in Hong Kong and eight in the U.S. Caitlin Condon, director of vulnerability intelligence at Rapid7, confirmed that the security vendor also observed exploitation attempts for CVE-2023-22527.
SANS Technology Institute's Internet Storm Center also detected initial exploitation activity on Monday.
A blog post by Johannes Ullrich, dean of research at SANS Technology Institute, revealed that exploitation attempts against the center's honeypots had increased following the release of a proof-of-concept exploit.
The attack scope could be lower because the vulnerability does not affect Atlassian Cloud sites.
TechTarget Editorial contacted Atlassian for any updates since last week's advisory.
The vendor declined to expand on exploitation activity, but said the issue was corrected in a previous release, referred to the advisory and emphasized the urgency to patch.
The exploitation activity against CVE-2023-22527 marks another round of attacks on Atlassian's Confluence Data Center and Confluence Server, which have become popular targets for threat actors.
Two months ago, those products suffered widespread attacks connected to a separate vulnerability, CVE-2023-22518.
In October, another Atlassian Confluence zero-day vulnerability, tracked as CVE-2023-22515, also fell under attack.
Arielle Waldman is a Boston-based reporter covering enterprise security news.
This Cyber News was published on www.techtarget.com. Publication date: Tue, 23 Jan 2024 21:43:04 +0000