Atlassian reassessed the severity rating of the recent improper authorization vulnerability in Confluence Data Center and Server, raising the CVSS score from 9.1 to a maximum of 10.
The company overhauled its security advisory for CVE-2023-22518 after it realized there had been a “change in the scope of the attack” on Monday.
In its original advisory, the Aussie-headquartered vendor said exploitation of the vulnerability by an unauthenticated user could lead to “significant data loss.” In the recently updated advisory, it conceded an attacker could reset Confluence and create an administrator account.
With administrator privileges, an attacker’s capabilities in a compromised instance extend far beyond data loss to include malware and ransomware delivery, disable security measures, setting up accounts for long-term access, and more.
In addition to reiterating that all versions of Confluence are affected by the vulnerability and should be upgraded as a matter of emergency, Atlassian has now confirmed that active exploitation of the vulnerability has begun, echoing the recent reports from others in the cybersecurity industry.
Security company Rapid7 reported a possible mass exploitation event was unfolding as of November 5 after its telemetry picked up on attacks in “various customer environments.”
“The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers,” it said in a blog post.
Rapid7 went on to note that in many cases, the observed exploits led to attempted downloads of the Cerber ransomware strain, which, if successful, led to its deployment.
Analysis of the Cerber ransomware binary by Red Canary showed that its first submission to VirusTotal was on November 1, indicating that exploitation attempts likely began less than 24 hours after the original advisory was published.
It also believes that the Cerber strain was derived from last year’s Conti leaks.
“The speed at which this campaign unfolded, with only a few days between the release of a patch and active, in-the-wild exploitation, emphasizes how quickly such adversaries work to identify and take advantage of distribution mechanisms for their wares,” said Huntress Labs in its report.
According to Huntress Labs, a Shodan search for “Confluence” returns more than 200,000 results, and searches for the Confluence favicon return more than 5,000. These figures aren’t an indication of the number of vulnerable instances, but do show how many are exposed to the internet.
Vulnerable customers are advised to upgrade immediately, but Atlassian also lists a number of temporary mitigations if upgrades aren’t possible.
The increased severity rating for CVE-2023-22518 now means it matches the severity of the other major Confluence vulnerability, a zero-day disclosed earlier in October.
Atlassian also gave the CVE-2023-22515 flaw a critical 10/10 severity rating. Like the more recent flaw, this too was exploited soon after its original disclosure.
It was deemed to be slightly less severe by the National Institute of Standards and Technology (NIST), which gave it a 9.8 rating instead. NIST is yet to assess the severity of CVE-2023-22518; the maximum rating is the one determined by Atlassian alone. ®