Dive Brief:

• Security researchers are warning about active exploitation of a critical vulnerability in out-of-date versions of Atlassian Confluence Data Center and Server. 
• A template injection vulnerability, listed as CVE-2023-22527, allows unauthenticated attackers to gain remote-code execution on affected systems. Atlassian gave the vulnerability a CVSS score of 10. 
• Shadowserver on Tuesday reported seeing more than 600 IPs attempting tens of thousands of attacks against the vulnerability since Jan. 19. Researchers at GreyNoise also reported an accelerated number of attacks.

Dive Insight:

Atlassian Confluence has seen a number of exploitation attempts in recent years. In October, the company was under threat as a critical vulnerability allowed attackers to create administrator accounts. The attacker, known as Storm-0062 or DarkShadow, is affiliated with China. 

Atlassian disclosed the recent critical vulnerability on Jan. 10, noting the vulnerability affects Confluence Data Center and Server 8 versions that were released prior to Dec. 5. Version 8.4.5 is no longer supported by backported fixes. 

Rapid7 has picked up exploit attempts through its network of honeypots and seen at least one unsuccessful attempt against a production environment, according to Caitlin Condon, director of vulnerability intelligence.

The vulnerability was “corrected” in a previous release of Confluence Server and Data Center and customers are urged to immediately to upgrade to the latest patched version, an Atlassian spokesperson said. The Cybersecurity and Infrastructure Security Agency issued similar guidance on Thursday.

Security researcher Petrus Viet discovered the vulnerability and reported it to Atlassian through their bug bounty program, according to the company.