Dive Brief:

• U.S. Cyber Command issued a warning and called for organizations to immediately patch the Atlassian Confluence vulnerability, CVE-2021-26084, in a tweet Friday. 
• Atlassian published a security advisory for the vulnerability on Aug. 25, calling it a critical severity security vulnerability affecting Confluence Server and Data Center versions, the company said. The vulnerability affected "before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5," the company said. Atlassian Cloud customers are not impacted by the bug. 
• The Object-Graph Navigation Language (OGNL) injection vulnerability "would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance," the company said in the advisory. The company released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 to fix the bug.

Dive Insight:

Before the long holiday weekend, U.S. Cyber Command urged immediate patching, "this cannot wait until after the weekend," the tweet said. 

Companies deploying remediations are now competing against threat actors, who are already scanning for vulnerable users, according to the Australian Cyber Security Center's alert. 

The vulnerability was found and submitted through Atlassian's bug bounty program, the company said in its alert. The proof-of-concept code was published publicly on Aug. 31, and now security professionals fear the bug could be mass-exploited. Public comments on Atlasssian's Jira suggest some user's servers were already compromised. 

Because the bug is relatively easy to exploit, Atlassian assigned it a critical rating. Under the company's qualification, critical threats consist of either a "root-level compromise" in servers or devices, or attackers that don't need "special authentication credentials or knowledge about individual victims" to perform a successful exploitation.